CVE-2025-15521 in Academy LMS Plugin
Summary
by MITRE • 01/21/2026
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and gain access to their account.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/27/2026
The vulnerability identified as CVE-2025-15521 affects the Academy LMS WordPress plugin, a popular learning management system solution that enables educational institutions to create and manage online courses. This plugin serves as a comprehensive eLearning platform within the WordPress ecosystem, making it a critical component for many educational organizations. The vulnerability resides in the plugin's password reset functionality, which has been designed without proper authentication verification mechanisms. Security researchers have identified that all versions up to and including 3.5.0 contain this critical flaw that compromises the integrity of user account management.
The technical root cause of this vulnerability stems from inadequate input validation and flawed authorization logic within the plugin's password update mechanism. The system relies exclusively on a nonce value for authorization purposes, which is a time-based token used to prevent cross-site request forgery attacks. However, this nonce is publicly exposed and accessible to unauthenticated users, creating a fundamental security weakness. The plugin fails to verify the actual identity of the user attempting to modify their password, allowing attackers to submit password change requests without proper authentication. This represents a classic example of insufficient validation of user identity, classified under CWE-862 - Authorization Bypass Through User-Controlled Key, and falls within the ATT&CK framework under privilege escalation techniques.
The operational impact of this vulnerability is severe and far-reaching for any organization using the affected plugin. An unauthenticated attacker can exploit this weakness to change passwords for any user account within the WordPress installation, including high-privilege administrator accounts. This creates a complete compromise of the system's access controls, allowing unauthorized individuals to gain full administrative privileges. The vulnerability essentially enables account takeover attacks that can lead to complete system compromise, data exfiltration, and potential lateral movement within the network. Organizations using this plugin may experience unauthorized access to sensitive educational content, student data breaches, and complete control over their learning management systems.
Organizations affected by this vulnerability should immediately implement several mitigation strategies to protect their systems. The primary recommendation is to update to the latest version of the Academy LMS plugin where the vulnerability has been patched, as this will address the improper nonce handling and implement proper user identity validation. Additionally, administrators should conduct comprehensive security audits of their WordPress installations to identify any other plugins or themes that may be vulnerable to similar issues. Network-level protections such as web application firewalls and rate limiting should be implemented to detect and block suspicious password reset requests. Regular monitoring of user account activities and implementing multi-factor authentication for administrative accounts can provide additional layers of security. Security teams should also consider implementing principle of least privilege access controls and regularly reviewing user permissions to minimize the impact of potential compromises. This vulnerability highlights the critical importance of proper authentication mechanisms and demonstrates how seemingly minor flaws in access control can lead to complete system compromise.