cleantalk
Vulnerabilities and Security Researches

Academy LMS – eLearning and online course solution for WordPress, CVE-2025-15521

CVE, Research URL

CVE-2025-15521

Home page URL

Security reports for Academy LMS – eLearning and online course solution for WordPress

Application

Academy LMS – eLearning and online course solution for WordPress

Published on
Jan 21, 2026
Research Description
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and gain access to their account.
Affected versions
max 3.5.1.
Status
vulnerable
Previous vulnerability researches
Internal Link Builder (CVE-2025-14725) , Jan 27, 2026
Internal Link Builder (CVE-2025-23989) , Jan 31, 2025
New vulnerability
Dinatur (CVE-2025-68866) , Jan 28, 2026
CodeColorer (CVE-2025-68012) , Jan 28, 2026
Shield Security – Smart Bot Blocking & Intrusion Prevention Security (CVE-2025-15370) , Jan 28, 2026
Custom Fonts – Host Your Fonts Locally (CVE-2025-14351) , Jan 28, 2026
SiteLock Security (CVE-2026-24532) , Jan 28, 2026