Vulnerabilities and security researches foracademy academy

Jan 28, 2026

CVE, Research URL: CVE-2025-15521
Home page URL: Security reports for Academy LMS – eLearning and online course solution for WordPress
Application: Academy LMS – eLearning and online course solution for WordPress
Date: Jan 21, 2026
Research Description: The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and gain access to their account.
Affected versions: max 3.5.1.
Status: vulnerable

Jan 10, 2026

CVE, Research URL: CVE-2025-68527
Home page URL: Security reports for Academy LMS – eLearning and online course solution for WordPress
Application: Academy LMS – eLearning and online course solution for WordPress
Date: Dec 24, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kodezen LLC Academy LMS academy allows Stored XSS.This issue affects Academy LMS: from n/a through <= 3.4.0.
Affected versions: max 3.4.0.
Status: vulnerable

Dec 10, 2025

CVE, Research URL: CVE-2025-12099
Home page URL: Security reports for Academy LMS – eLearning and online course solution for WordPress
Application: Academy LMS – eLearning and online course solution for WordPress
Date: Nov 08, 2025
Research Description: The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.3.8 via deserialization of untrusted input in the 'import_all_courses' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Affected versions: max 3.3.9.
Status: vulnerable

Oct 11, 2025

CVE, Research URL: CVE-2025-59562
Home page URL: Security reports for Academy LMS – eLearning and online course solution for WordPress
Application: Academy LMS – eLearning and online course solution for WordPress
Date: Sep 23, 2025
Research Description: Authorization Bypass Through User-Controlled Key vulnerability in Academy LMS Academy LMS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Academy LMS: from n/a through 3.3.4.
Affected versions: max 3.3.5.
Status: vulnerable

Jul 15, 2024

CVE, Research URL: CVE-2024-38701
Home page URL: Security reports for Academy LMS – eLearning and online course solution for WordPress
Application: Academy LMS – eLearning and online course solution for WordPress
Date: Jul 22, 2024
Research Description: Authorization Bypass Through User-Controlled Key vulnerability in Academy LMS.This issue affects Academy LMS: from n/a through 2.0.4.
Affected versions: max 2.0.5.
Status: vulnerable

Jun 24, 2024

CVE, Research URL: CVE-2024-37234
Home page URL: Security reports for Academy LMS – eLearning and online course solution for WordPress
Application: Academy LMS – eLearning and online course solution for WordPress
Date: Jul 06, 2024
Research Description: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Kodezen Limited Academy LMS.This issue affects Academy LMS: from n/a through 2.0.4.
Affected versions: max 2.0.11.
Status: vulnerable

Jun 06, 2024

CVE, Research URL: CVE-2024-1505
Home page URL: Security reports for Academy LMS – eLearning and online course solution for WordPress
Application: Academy LMS – eLearning and online course solution for WordPress
Date: Mar 13, 2024
Research Description: The Academy LMS – eLearning and online course solution for WordPress plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.9.19. This is due to plugin allowing arbitrary user meta updates through the saved_user_info() function. This makes it possible for authenticated attackers, with minimal permissions such as students, to elevate their user role to that of an administrator.
Affected versions: max 1.9.20.
Status: vulnerable

CVE, Research URL: CVE-2024-32714
Home page URL: Security reports for Academy LMS – eLearning and online course solution for WordPress
Application: Academy LMS – eLearning and online course solution for WordPress
Date: Jun 09, 2024
Research Description: Missing Authorization vulnerability in Academy LMS academy.This issue affects Academy LMS: from n/a through 1.9.16.
Affected versions: max 1.9.17.
Status: vulnerable

CVE, Research URL: CVE-2024-35171
Home page URL: Security reports for Academy LMS – eLearning and online course solution for WordPress
Application: Academy LMS – eLearning and online course solution for WordPress
Date: May 14, 2024
Research Description: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Academy LMS academy.This issue affects Academy LMS: from n/a through 1.9.25.
Affected versions: max 1.9.26.
Status: vulnerable

CVE, Research URL: CVE-2024-33912
Home page URL: Security reports for Academy LMS – eLearning and online course solution for WordPress
Application: Academy LMS – eLearning and online course solution for WordPress
Date: May 07, 2024
Research Description: Missing Authorization vulnerability in Academy LMS.This issue affects Academy LMS: from n/a through 1.9.16.
Affected versions: max 1.9.17.
Status: vulnerable