Skip to main content

Academy LMS Pro EUVDEUVD-2026-37502

| CVE-2026-39598 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-16 Patchstack
8.0
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
8.0 HIGH
AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.0 HIGH

Remote upload endpoint (AV:N) reachable only by a high-privileged plugin user (PR:H) with a non-trivial validation bypass (AC:H); web shell execution under the WordPress runtime affects other components, yielding S:C and full C/I/A impact.

3.1 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 23:33 vuln.today
Patch available
Jun 16, 2026 - 23:02 EUVD

DescriptionCVE.org

Unrestricted Upload of File with Dangerous Type vulnerability in Kodezen LLC Academy LMS Pro allows Upload a Web Shell to a Web Server.

This issue affects Academy LMS Pro: from n/a before 3.5.2.

AnalysisAI

Arbitrary file upload in Kodezen Academy LMS Pro (WordPress plugin) versions prior to 3.5.2 allows authenticated attackers with high privileges to upload web shells to the underlying web server, leading to full site compromise. The flaw was reported by Patchstack and a vendor patch is available, but no public exploit has been identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

Academy LMS Pro is a commercial WordPress learning management system plugin distributed by Kodezen LLC, identified by CPE cpe:2.3:a:kodezen_llc:academy_lms_pro. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), where a file-upload handler within the plugin fails to validate file type, extension, or MIME against an allow-list, accepting executable PHP content. Because WordPress plugins typically place uploads inside the document root, an uploaded .php file is directly reachable via HTTP and executed by the PHP interpreter, giving the attacker code execution in the context of the web server user.

RemediationAI

Upgrade Academy LMS Pro to version 3.5.2 or later, which is the vendor-released patched version per the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/academy-pro/vulnerability/wordpress-academy-lms-pro-plugin-3-5-2-arbitrary-file-upload-vulnerability). If upgrade is not immediately possible, restrict access to the plugin's upload endpoints via the web server or a WAF rule that blocks requests containing executable extensions (.php, .phtml, .phar) in multipart uploads, deny PHP execution inside the wp-content/uploads directory using an Apache/Nginx config rule (side effect: breaks any legitimate plugin relying on PHP under uploads), and audit existing administrator and instructor accounts plus credentials given the PR:H requirement. After patching, scan the webroot for unexpected PHP files placed before the upgrade since the patch does not remove already-deployed web shells.

Share

EUVD-2026-37502 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy