CVE Alert: CVE-2025-11086 – academylms – Academy LMS Pro
CVE-2025-11086
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.7. This is due to the plugin not properly validating a user’s role prior to registering a user via the Social Login addon. This makes it possible for unauthenticated attackers to update their role to Administrator when registering on the site.
AI Summary Analysis
Risk verdict
High risk: unauthenticated privilege escalation could allow an attacker to become Administrator, with no user interaction required and network-based access; current exploitation activity is not indicated in the available SSVC/KEV data.
Why this matters
The flaw enables complete control of the LMS site if an unauthenticated user registers via the Social Login flow. Attackers could impersonate admins, disable protections, exfiltrate or alter data, and undermine user trust or compliance. With CVSS indicating high impact across confidentiality, integrity and availability, the business risk is substantial for any public-facing WordPress LMS deployment.
Most likely attack path
An unauthenticated attacker targets the Social Login registration to elevate their role to Administrator (no pre-existing privileges required). The network-facing nature and lack of user interaction mean exploitation can occur at scale with minimal barriers. Once admin rights are acquired, attacker actions can pivot across the site, modules and stored data, given the total impact in reach.
Who is most exposed
Publicly accessible LMS sites using the affected plugin, especially those hosted on shared WordPress environments or managed hosts with open registration flows and minimal admin-change controls.
Detection ideas
- Sudden creation of new Administrator accounts or role changes on new or existing users.
- Unusual login registrations via social providers around the same timeframe as other admin actions.
- Unexpected modifications to wp_users/wp_usermeta granting elevated privileges.
- Anomalous plugin or core file edits connected to the Social Login addon.
- Elevated activity from an account performing admin-level tasks outside typical patterns.
Mitigation and prioritisation
- Patch to the latest version or apply vendor-recommended fix immediately.
- If patching now isn’t possible, disable or restrict the Social Login addon and/or public registration.
- Enforce least privilege: restrict admin access, enable MFA for admin accounts, and review role assignment workflows.
- Implement WAF rules to block known privilege-escalation patterns and monitor for admin-level modifications.
- Schedule change control with testing in staging prior to production rollout; verify integrity of user roles after update.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
