CVE-2026-5348 in Academy LMS Plugininfo

Summary

by MITRE • 07/02/2026

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the '/topics' REST API endpoint being registered with a permission callback set to '__return_true', allowing unauthenticated access to course curriculum data without verifying the course's post status or user enrollment. This makes it possible for unauthenticated attackers to access detailed curriculum information for private, draft, scheduled, or password-protected courses by enumerating course IDs.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/02/2026

The Academy LMS WordPress plugin presents a critical security vulnerability classified as Insecure Direct Object Reference that affects versions up to and including 3.8.1. This weakness stems from improper access control implementation within the plugin's REST API framework where the '/topics' endpoint lacks adequate authentication checks. The vulnerability manifests through a permission callback function set to '__return_true' which effectively disables all access restrictions, creating an avenue for unauthorized data exposure. This flaw fundamentally undermines the security model of the learning management system by allowing attackers to bypass normal authorization mechanisms that should protect sensitive educational content.

The technical implementation of this vulnerability occurs at the REST API registration level where the plugin fails to validate user credentials or course access permissions before serving curriculum data. When an attacker enumerates valid course IDs through various means such as API discovery, brute force techniques, or information leakage from other sources, they can directly request topic information from the vulnerable endpoint without any authentication requirements. The system processes these requests without verifying whether the requesting entity has legitimate access rights to view the specific course content, nor does it check if the course is in a private status, draft state, scheduled for future publication, or protected by password restrictions.

The operational impact of this vulnerability extends beyond simple information disclosure to potentially compromise the integrity and confidentiality of educational data within the learning management ecosystem. Attackers can access detailed curriculum information including lesson structures, content outlines, and organizational frameworks for courses that should remain private or restricted to enrolled participants only. This exposure creates risks for institutions where proprietary course materials, upcoming assessments, or sensitive educational content could be accessed by unauthorized parties. The vulnerability particularly affects academic environments where course confidentiality is paramount for maintaining assessment integrity and protecting intellectual property.

From a cybersecurity perspective, this vulnerability aligns with CWE-284 (Improper Access Control) and represents a clear violation of the principle of least privilege in access control design. The ATT&CK framework categorizes this as a privilege escalation technique through API abuse where attackers leverage exposed endpoints to gain unauthorized access to restricted resources. Organizations using this plugin face increased risk of competitive intelligence theft, academic misconduct, and potential regulatory violations depending on their industry compliance requirements. The vulnerability also demonstrates poor security by design practices where authentication mechanisms are bypassed through improper callback function implementation.

Mitigation strategies should begin with immediate patching to the latest available version of the Academy LMS plugin where this access control flaw has been addressed. Administrators should implement additional network-level restrictions such as firewall rules or API gateways that limit access to REST endpoints based on trusted IP addresses or authentication tokens. Regular security audits of WordPress plugins should include verification of permission callback implementations and access control mechanisms within REST API endpoints. Organizations may also consider implementing rate limiting and monitoring for unusual API access patterns that could indicate enumeration attempts. The vulnerability underscores the importance of proper authentication implementation and regular security testing of third-party plugins to maintain overall system integrity.

Responsible

Wordfence

Reservation

04/01/2026

Disclosure

07/02/2026

Moderation

accepted

CPE

ready

EPSS

0.00262

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!