Skip to main content

Academy LMS EUVDEUVD-2026-43658

| CVE-2026-9341 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-14 Wordfence GHSA-jvgv-xrf5-mp7h
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.4 MEDIUM

C:L added over official vector because get_lesson_note explicitly enables reading private notes; all other metrics align with PR:L subscriber requirement and network delivery.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 14, 2026 - 12:01 vuln.today
CVE Published
Jul 14, 2026 - 11:30 cve.org
MEDIUM 4.3

DescriptionCVE.org

The Academy LMS - WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.0 via the 'save_lesson_note', 'get_lesson_note', and 'complete_lesson_video' AJAX handlers due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read, overwrite, or delete the private lesson notes of any other user (including administrators), and to falsify lesson-completion progress for arbitrary users.

AnalysisAI

Insecure Direct Object Reference in the Academy LMS WordPress plugin (all versions through 3.8.0) allows authenticated attackers with Subscriber-level access to read, overwrite, or delete the private lesson notes of any user - including administrators - and to falsify lesson-completion records for arbitrary accounts. Three AJAX handlers (save_lesson_note, get_lesson_note, complete_lesson_video) perform no ownership validation on a user-controlled key, making cross-user data manipulation trivially achievable by any registered site user. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or compromise subscriber account
Delivery
Authenticate to WordPress site
Exploit
Identify target user ID via enumeration or known value
Execution
Craft AJAX POST to vulnerable lesson handler with target user ID
Persist
Bypass missing ownership validation
Impact
Read, overwrite, or delete target's lesson notes; falsify lesson-completion records

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress user account at Subscriber level or above on the target site - unauthenticated exploitation is not possible per the CVSS PR:L metric. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N accurately captures the low-complexity, network-accessible nature of the flaw but appears to undercount the confidentiality dimension: the CVE description explicitly states that get_lesson_note enables reading other users' private notes, which corresponds to C:L rather than C:N - this discrepancy should be verified against the vendor's scoring rationale. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a WordPress site running Academy LMS 3.8.0 or earlier, then issues a crafted authenticated AJAX POST request to wp-admin/admin-ajax.php with action=get_lesson_note and a target user's ID or note ID substituted in the user-controlled key parameter, successfully retrieving that user's private lesson notes. The same technique applied to save_lesson_note or complete_lesson_video allows overwriting notes or falsifying the completion status of any course lesson for any enrolled user, including administrators. …
Remediation An upstream fix has been committed to the WordPress plugin repository as changeset 3573111 (https://plugins.trac.wordpress.org/changeset/3573111/); users should update the Academy LMS plugin to the first release beyond 3.8.0 as soon as it becomes available through the WordPress plugin dashboard, since the exact patched release version is not independently confirmed from the provided data - verify the current latest version in the WordPress Plugin Directory before updating. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-4974 CRITICAL POC
9.8 Sep 15

A vulnerability was found in Academy LMS 6.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploit

CVE-2025-71179 MEDIUM POC
6.1 Feb 03

Creativeitem Academy LMS 7.0 contains reflected Cross-Site Scripting (XSS) vulnerabilities via the search parameter to t

CVE-2024-38959 MEDIUM POC
6.1 Jul 09

Cross Site Scripting vulnerability in Creativeitem Academy LMS Learning Management System v.6.8.1 allows a remote attack

CVE-2023-4973 MEDIUM POC
6.1 Sep 15

A vulnerability was found in Academy LMS 6.2 on Windows. Rated medium severity (CVSS 6.1), this vulnerability is remotel

CVE-2023-38964 MEDIUM POC
6.1 Aug 04

Creative Item Academy LMS 6.0 was discovered to contain a cross-site scripting (XSS) vulnerability. Rated medium severit

CVE-2023-4119 MEDIUM POC
6.1 Aug 03

A vulnerability has been found in Academy LMS 6.0 and classified as problematic. Rated medium severity (CVSS 6.1), this

CVE-2024-1505 HIGH
8.8 Mar 13

The Academy LMS - eLearning and online course solution for WordPress plugin for WordPress is vulnerable to privilege esc

CVE-2024-38701 HIGH
8.8 Jul 22

Authorization Bypass Through User-Controlled Key vulnerability in Academy LMS.0.4. Rated high severity (CVSS 8.8), this

CVE-2024-32714 HIGH
8.8 Jun 09

Missing Authorization vulnerability in Academy LMS academy.9.16. Rated high severity (CVSS 8.8), this vulnerability is r

CVE-2022-29380 MEDIUM POC
4.8 May 25

Academy-LMS v4.3 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the SEO panel. Rated med

CVE-2024-33912 HIGH
7.1 May 06

Missing Authorization vulnerability in Academy LMS.9.16. Rated high severity (CVSS 7.1), this vulnerability is remotely

CVE-2023-3752 MEDIUM
6.1 Jul 19

A vulnerability was found in Creativeitem Academy LMS 5.15. Rated medium severity (CVSS 6.1), this vulnerability is remo

Share

EUVD-2026-43658 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy