Plateforme
wordpress
Composant
academy-lms-pro
Corrigé dans
3.3.8
CVE-2025-11086 describes a privilege escalation vulnerability within the Academy LMS Pro WordPress plugin, a tool designed for creating and managing eLearning solutions. This flaw allows unauthenticated attackers to gain administrative access to a WordPress site by exploiting improper role validation during user registration through the Social Login addon. The vulnerability impacts versions 0.0.0 through 3.3.7, and a patch is expected from the vendor.
The primary impact of CVE-2025-11086 is the potential for complete site takeover. An attacker exploiting this vulnerability can register an account and immediately elevate their role to Administrator. This grants them full control over the WordPress site, including the ability to modify content, install malicious plugins, access sensitive data, and potentially compromise other connected systems. The ease of exploitation, requiring only a successful registration, significantly increases the risk. This vulnerability shares similarities with other privilege escalation flaws where inadequate role-based access controls are implemented.
CVE-2025-11086 was publicly disclosed on 2025-10-22. The EPSS score is likely to be medium, given the ease of exploitation and the potential for significant impact. Public proof-of-concept (POC) code is anticipated to be released shortly, increasing the likelihood of exploitation. Monitor security advisories and threat intelligence feeds for updates on exploitation activity.
WordPress sites utilizing the Academy LMS Pro plugin, particularly those relying on the Social Login addon for user registration, are at risk. Shared hosting environments where multiple WordPress installations share resources are especially vulnerable, as a compromise of one site could potentially lead to lateral movement to others. Sites with outdated plugin versions are also at increased risk.
• wordpress / composer / npm:
grep -r 'wp_set_current_user' /var/www/html/wp-content/plugins/academy-lms-pro/• wordpress / composer / npm:
wp plugin list --status=active | grep academy-lms-pro• wordpress / composer / npm:
curl -I https://your-wordpress-site.com/wp-login.php | grep -i 'role=administrator'disclosure
Statut de l'Exploit
EPSS
0.08% (percentile 24%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-11086 is to upgrade the Academy LMS Pro plugin to a version containing the security fix. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider temporarily disabling the Social Login addon to prevent new account registrations from being exploited. Web Application Firewall (WAF) rules can be implemented to block suspicious registration attempts, specifically looking for requests that attempt to set the user role to 'administrator' during registration. Monitor WordPress user accounts for unexpected administrator accounts created around the time of the vulnerability's disclosure.
Actualice el plugin Academy LMS Pro a una versión corregida (3.3.8 o superior) para mitigar la vulnerabilidad de escalada de privilegios. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de actualizar el plugin.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-11086 is a vulnerability allowing unauthenticated attackers to gain administrator privileges in Academy LMS Pro WordPress plugins versions 0.0.0–3.3.7 through improper role validation during user registration.
If you are using Academy LMS Pro version 0.0.0 through 3.3.7 and have the Social Login addon enabled, you are potentially affected by this vulnerability.
Upgrade the Academy LMS Pro plugin to a patched version. If upgrading is not immediately possible, disable the Social Login addon as a temporary workaround.
While active exploitation is not yet confirmed, the vulnerability's ease of exploitation suggests it is likely to be targeted soon after public disclosure.
Refer to the Academy LMS Pro website and WordPress plugin repository for official advisories and updates regarding CVE-2025-11086.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.