Skip to main content

Academy LMS Pro CVE-2026-39598

| EUVDEUVD-2026-37502 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-16 Patchstack
8.0
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.0 HIGH
AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.0 HIGH

Remote upload endpoint (AV:N) reachable only by a high-privileged plugin user (PR:H) with a non-trivial validation bypass (AC:H); web shell execution under the WordPress runtime affects other components, yielding S:C and full C/I/A impact.

3.1 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 23:33 vuln.today
Patch available
Jun 16, 2026 - 23:02 EUVD

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in Kodezen LLC Academy LMS Pro allows Upload a Web Shell to a Web Server.

This issue affects Academy LMS Pro: from n/a before 3.5.2.

AnalysisAI

Arbitrary file upload in Kodezen Academy LMS Pro (WordPress plugin) versions prior to 3.5.2 allows authenticated attackers with high privileges to upload web shells to the underlying web server, leading to full site compromise. The flaw was reported by Patchstack and a vendor patch is available, but no public exploit has been identified at time of analysis and the issue is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain high-privilege plugin account
Delivery
Authenticate to WordPress admin
Exploit
Submit crafted file upload to Academy LMS endpoint
Install
Bypass file-type validation
C2
Web shell written under webroot
Execute
Request shell URL to execute PHP
Impact
Full site and server compromise

Vulnerability AssessmentAI

Exploitation Attacker must possess a high-privileged authenticated session on the WordPress site running Academy LMS Pro (PR:H - typically Administrator or an Academy LMS role with file-upload capability) and reach the plugin's file-upload handler over the network (AV:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 8.0 is driven by network reach (AV:N), full CIA impact (C:H/I:H/A:H), and scope change (S:C), but is tempered by high attack complexity (AC:H) and high privileges required (PR:H) - meaning the attacker already needs a privileged account (typically admin-equivalent) and must meet some additional condition to succeed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a high-privileged Academy LMS Pro account - for example via credential phishing of an instructor/admin or a compromised reseller account - authenticates to the WordPress site and submits a crafted upload to the vulnerable plugin endpoint with a PHP payload disguised as a course resource. The server stores the file inside the webroot, and the attacker then requests the uploaded URL, executing the web shell as the PHP-FPM/Apache user and pivoting to full site takeover. …
Remediation Upgrade Academy LMS Pro to version 3.5.2 or later, which is the vendor-released patched version per the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/academy-pro/vulnerability/wordpress-academy-lms-pro-plugin-3-5-2-arbitrary-file-upload-vulnerability). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit deployment of Kodezen Academy LMS Pro across all WordPress instances and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-39598 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy