CVE-2026-9341 in Academy LMS Plugin
Summary
by MITRE • 07/14/2026
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.0 via the 'save_lesson_note', 'get_lesson_note', and 'complete_lesson_video' AJAX handlers due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read, overwrite, or delete the private lesson notes of any other user (including administrators), and to falsify lesson-completion progress for arbitrary users.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/14/2026
The Academy LMS WordPress plugin presents a critical security vulnerability classified as Insecure Direct Object Reference that affects all versions through 3.8.0. This weakness stems from insufficient input validation within three specific AJAX handlers: save_lesson_note, get_lesson_note, and complete_lesson_video. The vulnerability operates by failing to properly validate user-controlled parameters that serve as object identifiers, allowing malicious actors to manipulate these values and gain unauthorized access to resources they should not be able to reach. The flaw specifically targets authenticated users with Subscriber-level privileges or higher, making it particularly dangerous as it can be exploited by users who already have some level of system access. From a technical perspective, this vulnerability maps directly to CWE-639 which defines Insecure Direct Object Reference as a condition where the application provides direct access to objects based on user-supplied input without proper authorization checks. The attack vector leverages the WordPress AJAX infrastructure, where these handlers process requests without implementing adequate access control mechanisms that would normally prevent users from accessing data belonging to other accounts.
The operational impact of this vulnerability extends beyond simple information disclosure to encompass full privilege escalation capabilities within the lesson completion and note-taking subsystems. An authenticated attacker can manipulate lesson notes across all user accounts including administrators, potentially leading to data corruption, privacy breaches, or even the compromise of sensitive educational content. The ability to falsify lesson completion progress represents a particularly dangerous aspect as it allows attackers to manipulate learning management system records, potentially affecting grading, certification, and progress tracking for legitimate users. This vulnerability directly aligns with ATT&CK technique T1078 which covers Valid Accounts and privilege escalation through the manipulation of system resources. The attack surface is significant given that lesson notes often contain sensitive information about user performance, personal details, or instructional content that should remain private to individual learners. Additionally, the ability to manipulate completion status can undermine the integrity of the entire learning management system, affecting both administrative oversight and learner trust in the platform's accuracy.
Mitigation strategies for this vulnerability must address both immediate remediation and long-term architectural improvements to prevent similar issues from occurring in the future. The most direct fix involves implementing proper access control validation within all three affected AJAX handlers by verifying that users can only access resources belonging to their own accounts or those they are explicitly authorized to modify. This requires adding user ownership checks that cross-reference the authenticated user's identity with the requested object's owner before permitting any operations. Security patches should enforce strict parameter validation and implement proper authorization controls in accordance with the principle of least privilege. Organizations should also consider implementing additional monitoring for unusual AJAX activity patterns that might indicate exploitation attempts, particularly around lesson note access and completion status modifications. The vulnerability demonstrates how seemingly simple input parameters can create significant security risks when not properly validated, highlighting the importance of defensive programming practices such as those recommended in the OWASP Top Ten and NIST Cybersecurity Framework. Regular security audits of WordPress plugins should include thorough examination of AJAX handler implementations to identify similar access control weaknesses that could be exploited by authenticated users with minimal privileges.