Academy LMS – WordPress LMS Plugin for Complete eLearning Solution < 3.5.1 – Unauthenticated Privilege Escalation via Account Takeover | CVE 2025-15521 | Plugin Vulnerabilities

Description

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and gain access to their account.

Affects Plugins

Fixed in 3.5.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/6687ebbe-fdf4-4ecb-bf59-034bb4b0104c

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

vgo0

Verified

No

WPVDB ID

06863391-03e5-467a-8efb-6cbf0cfdf590

Timeline

Publicly Published

2026-01-20 (about 4 months ago)

Added

2026-01-20 (about 4 months ago)

Last Updated

2026-01-21 (about 4 months ago)

Other

Published

Title

Published

2024-03-29

Title

Thumbs Rating <= 5.1.0 - Unauthenticated Insecure Direct Object Reference

Published

2023-05-12

Title

RegistrationMagic < 5.2.1.0 - Admin+ Arbitrary Password Update via IDOR

Published

2025-09-22

Title

Academy LMS < 3.3.5 - Authenticated (Academy Instructor+) Insecure Direct Object Reference

Published

2026-04-08

Title

MStore API < 4.18.4 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Meta Update

Published

2023-02-27

Title

WooCommerce Multiple Customer Addresses & Shipping < 21.7 - Arbitrary Address Creation/Deletion/Access/Update via IDOR