CVE-2025-11086
BaseFortify
Publication date: 2025-10-22
Last updated on: 2025-10-22
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| academy_lms | wordpress_lms_plugin | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Update the Academy LMS WordPress plugin to version 3.3.8 or later, as this version includes fixes that address the privilege escalation vulnerability present in versions up to and including 3.3.7. [1]
Can you explain this vulnerability to me?
The vulnerability in the Academy LMS WordPress plugin allows unauthenticated attackers to escalate their privileges by exploiting improper validation of user roles during registration via the Social Login addon. This means attackers can register on the site and assign themselves the Administrator role without authorization.
How can this vulnerability impact me? :
This vulnerability can allow attackers to gain Administrator access to your WordPress site without authentication. With Administrator privileges, attackers can fully control the site, including modifying content, managing users, installing malicious code, and potentially compromising the entire system's security and integrity.