CVE Alert: CVE-2025-12099 – academylms – Academy LMS – WordPress LMS Plugin for Complete eLearning Solution
CVE-2025-12099
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.3.8 via deserialization of untrusted input in the ‘import_all_courses’ function. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
AI Summary Analysis
Risk verdict
High risk—requires Administrator-level access and may rely on an additional POP chain; no KEV or EPSS indicators are provided to adjust urgency.
Why this matters
Authenticated attackers could trigger PHP Object Injection to inject objects, potentially leading to code execution, data access, or file deletion if a compatible POP chain exists. Even without a POP chain, the vulnerability enables severe impact on site integrity and course data when combined with other plugins/themes; downstream business risks include downtime, data leakage, and reputational harm.
Most likely attack path
An attacker with valid admin credentials can abuse import_all_courses deserialization to inject a PHP object. Without a POP chain, impact is limited to what the plugin permits; with a POP chain from another plugin/theme, they could execute code, read sensitive data, or delete arbitrary files. Exploitability hinges on preconditions (admin access, no user interaction) rather than broad network access, and lateral movement is dependent on other components in the WordPress stack.
Who is most exposed
WordPress sites using this LMS plugin (<= 3.3.8) with active admin accounts are exposed; common deployments include small-to-mid-size sites hosting training content, often with multiple plugins and accessible admin consoles.
Detection ideas
- Look for unusual serialized object payloads in import_all_courses requests or admin actions.
- PHP error logs showing unserialize-related warnings or object injection indicators.
- Anomalous activity on admin-ajax.php or REST endpoints tied to course import.
- Sudden changes to course data, files, or plugin code paths.
- WAF alerts for suspicious serialized payload patterns.
Mitigation and prioritisation
- Patch to the latest plugin version; if unavailable, disable the plugin until remediation.
- Enforce MFA and strict admin access controls; limit admin access by IP or network.
- Inventory and disable any POP-chain-bearing plugins/themes; apply compensating controls where removal isn’t possible.
- Monitor and log admin actions related to course import; alert on anomalous import activity.
- Plan staged patching with a rollback strategy and communicate downtime windows where applicable.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
