Severity by source
AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Remote upload endpoint (AV:N) reachable only by a high-privileged plugin user (PR:H) with a non-trivial validation bypass (AC:H); web shell execution under the WordPress runtime affects other components, yielding S:C and full C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Unrestricted Upload of File with Dangerous Type vulnerability in Kodezen LLC Academy LMS Pro allows Upload a Web Shell to a Web Server.
This issue affects Academy LMS Pro: from n/a before 3.5.2.
AnalysisAI
Arbitrary file upload in Kodezen Academy LMS Pro (WordPress plugin) versions prior to 3.5.2 allows authenticated attackers with high privileges to upload web shells to the underlying web server, leading to full site compromise. The flaw was reported by Patchstack and a vendor patch is available, but no public exploit has been identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
Academy LMS Pro is a commercial WordPress learning management system plugin distributed by Kodezen LLC, identified by CPE cpe:2.3:a:kodezen_llc:academy_lms_pro. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), where a file-upload handler within the plugin fails to validate file type, extension, or MIME against an allow-list, accepting executable PHP content. Because WordPress plugins typically place uploads inside the document root, an uploaded .php file is directly reachable via HTTP and executed by the PHP interpreter, giving the attacker code execution in the context of the web server user.
RemediationAI
Upgrade Academy LMS Pro to version 3.5.2 or later, which is the vendor-released patched version per the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/academy-pro/vulnerability/wordpress-academy-lms-pro-plugin-3-5-2-arbitrary-file-upload-vulnerability). If upgrade is not immediately possible, restrict access to the plugin's upload endpoints via the web server or a WAF rule that blocks requests containing executable extensions (.php, .phtml, .phar) in multipart uploads, deny PHP execution inside the wp-content/uploads directory using an Apache/Nginx config rule (side effect: breaks any legitimate plugin relying on PHP under uploads), and audit existing administrator and instructor accounts plus credentials given the PR:H requirement. After patching, scan the webroot for unexpected PHP files placed before the upgrade since the patch does not remove already-deployed web shells.
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37502