Severity by source
AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Remote upload endpoint (AV:N) reachable only by a high-privileged plugin user (PR:H) with a non-trivial validation bypass (AC:H); web shell execution under the WordPress runtime affects other components, yielding S:C and full C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in Kodezen LLC Academy LMS Pro allows Upload a Web Shell to a Web Server.
This issue affects Academy LMS Pro: from n/a before 3.5.2.
AnalysisAI
Arbitrary file upload in Kodezen Academy LMS Pro (WordPress plugin) versions prior to 3.5.2 allows authenticated attackers with high privileges to upload web shells to the underlying web server, leading to full site compromise. The flaw was reported by Patchstack and a vendor patch is available, but no public exploit has been identified at time of analysis and the issue is not listed in CISA KEV.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must possess a high-privileged authenticated session on the WordPress site running Academy LMS Pro (PR:H - typically Administrator or an Academy LMS role with file-upload capability) and reach the plugin's file-upload handler over the network (AV:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 8.0 is driven by network reach (AV:N), full CIA impact (C:H/I:H/A:H), and scope change (S:C), but is tempered by high attack complexity (AC:H) and high privileges required (PR:H) - meaning the attacker already needs a privileged account (typically admin-equivalent) and must meet some additional condition to succeed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained a high-privileged Academy LMS Pro account - for example via credential phishing of an instructor/admin or a compromised reseller account - authenticates to the WordPress site and submits a crafted upload to the vulnerable plugin endpoint with a PHP payload disguised as a course resource. The server stores the file inside the webroot, and the attacker then requests the uploaded URL, executing the web shell as the PHP-FPM/Apache user and pivoting to full site takeover. … |
| Remediation | Upgrade Academy LMS Pro to version 3.5.2 or later, which is the vendor-released patched version per the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/academy-pro/vulnerability/wordpress-academy-lms-pro-plugin-3-5-2-arbitrary-file-upload-vulnerability). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit deployment of Kodezen Academy LMS Pro across all WordPress instances and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37502