Platform
wordpress
Component
academy-lms-pro
Fixed in
3.3.8
CVE-2025-11086 describes a privilege escalation vulnerability within the Academy LMS Pro WordPress plugin, a tool designed for creating and managing eLearning solutions. This flaw allows unauthenticated attackers to gain administrative access to a WordPress site by exploiting improper role validation during user registration through the Social Login addon. The vulnerability impacts versions 0.0.0 through 3.3.7, and a patch is expected from the vendor.
The primary impact of CVE-2025-11086 is the potential for complete site takeover. An attacker exploiting this vulnerability can register an account and immediately elevate their role to Administrator. This grants them full control over the WordPress site, including the ability to modify content, install malicious plugins, access sensitive data, and potentially compromise other connected systems. The ease of exploitation, requiring only a successful registration, significantly increases the risk. This vulnerability shares similarities with other privilege escalation flaws where inadequate role-based access controls are implemented.
CVE-2025-11086 was publicly disclosed on 2025-10-22. The EPSS score is likely to be medium, given the ease of exploitation and the potential for significant impact. Public proof-of-concept (POC) code is anticipated to be released shortly, increasing the likelihood of exploitation. Monitor security advisories and threat intelligence feeds for updates on exploitation activity.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-11086 is to upgrade the Academy LMS Pro plugin to a version containing the security fix. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider temporarily disabling the Social Login addon to prevent new account registrations from being exploited. Web Application Firewall (WAF) rules can be implemented to block suspicious registration attempts, specifically looking for requests that attempt to set the user role to 'administrator' during registration. Monitor WordPress user accounts for unexpected administrator accounts created around the time of the vulnerability's disclosure.
Actualice el plugin Academy LMS Pro a una versión corregida (3.3.8 o superior) para mitigar la vulnerabilidad de escalada de privilegios. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de actualizar el plugin.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-11086 is a vulnerability allowing unauthenticated attackers to gain administrator privileges in Academy LMS Pro WordPress plugins versions 0.0.0–3.3.7 through improper role validation during user registration.
If you are using Academy LMS Pro version 0.0.0 through 3.3.7 and have the Social Login addon enabled, you are potentially affected by this vulnerability.
Upgrade the Academy LMS Pro plugin to a patched version. If upgrading is not immediately possible, disable the Social Login addon as a temporary workaround.
While active exploitation is not yet confirmed, the vulnerability's ease of exploitation suggests it is likely to be targeted soon after public disclosure.
Refer to the Academy LMS Pro website and WordPress plugin repository for official advisories and updates regarding CVE-2025-11086.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.