Scan free
HIGHCVE-2024-1505CVSS 8.8

CVE-2024-1505: Privilege Escalation in Academy LMS for WordPress

Platform

wordpress

Component

academy

Fixed in

1.9.20

AI Confidence: highNVDEPSS 0.2%Reviewed: May 2026
View on NVD
Save

CVE-2024-1505 is a privilege escalation vulnerability discovered in the Academy LMS plugin for WordPress. This flaw allows authenticated attackers, even those with minimal permissions like student accounts, to escalate their user role to administrator. The vulnerability impacts versions of the plugin up to and including 1.9.19. A patch is available to address this issue.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The impact of this vulnerability is significant. An attacker who successfully exploits CVE-2024-1505 gains complete control over the WordPress site. This includes the ability to modify content, install malicious plugins, access sensitive user data, and potentially compromise the entire system. The ability to escalate from a low-privilege user account to administrator bypasses standard access controls, making it a particularly dangerous vulnerability. Successful exploitation could lead to data breaches, website defacement, and denial of service.

Exploitation Context

This vulnerability was publicly disclosed on March 13, 2024. Currently, there are no known public exploits or active campaigns targeting CVE-2024-1505. It is not listed on the CISA KEV catalog at the time of writing. The relatively recent disclosure and lack of public exploits suggest a low to medium probability of exploitation, but proactive patching is still strongly recommended.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.18% (39% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentacademy
Vendoracademylms
Affected rangeFixed in
* – 1.9.191.9.20

Package Information

Active installs
2KNiche
Plugin rating
4.9
Requires WordPress
6.8+
Compatible up to
6.9.4
Requires PHP
7.4+
Homepage

Weakness Classification (CWE)

CWE-269

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Unpatched — 802 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2024-1505 is to upgrade the Academy LMS plugin to a version that includes the fix. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider restricting user meta update permissions for users with limited roles. While not a complete solution, this can reduce the attack surface. Review user roles and permissions to ensure least privilege is enforced. Monitor WordPress logs for suspicious activity related to user meta updates.

How to fix

Actualice el plugin Academy LMS a la última versión disponible. La vulnerabilidad que permite la escalada de privilegios ha sido corregida en versiones posteriores a la 1.9.19. Esto evitará que usuarios no autorizados obtengan acceso de administrador.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-1505 — Privilege Escalation in Academy LMS for WordPress?

CVE-2024-1505 is a vulnerability allowing authenticated users with limited permissions to escalate to administrator roles within the Academy LMS WordPress plugin, impacting versions up to 1.9.19.

Am I affected by CVE-2024-1505 in Academy LMS for WordPress?

If you are using Academy LMS for WordPress version 1.9.19 or earlier, you are potentially affected by this privilege escalation vulnerability.

How do I fix CVE-2024-1505 in Academy LMS for WordPress?

Upgrade the Academy LMS plugin to the latest available version, which includes the necessary fix to prevent unauthorized privilege escalation. Check the plugin repository for updates.

Is CVE-2024-1505 being actively exploited?

As of the current date, there are no confirmed reports of active exploitation of CVE-2024-1505, but proactive patching is still highly recommended.

Where can I find the official Academy LMS advisory for CVE-2024-1505?

Refer to the official Academy LMS plugin repository or website for the latest security advisory and update information regarding CVE-2024-1505.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs