CVE-2026-9341
Received Received - Intake

IDOR Vulnerability in Academy LMS WordPress Plugin

Vulnerability report for CVE-2026-9341, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: Wordfence

Description

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.0 via the 'save_lesson_note', 'get_lesson_note', and 'complete_lesson_video' AJAX handlers due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read, overwrite, or delete the private lesson notes of any other user (including administrators), and to falsify lesson-completion progress for arbitrary users.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
academy lms to 3.8.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-9341 is an Insecure Direct Object Reference (IDOR) vulnerability in the Academy LMS – WordPress LMS Plugin for Complete eLearning Solution. This vulnerability exists in all versions up to and including 3.8.0.

The issue occurs via the 'save_lesson_note', 'get_lesson_note', and 'complete_lesson_video' AJAX handlers. These handlers lack proper validation on a user-controlled key, allowing authenticated attackers with Subscriber-level access or higher to perform unauthorized actions.

  • Attackers can read, overwrite, or delete the private lesson notes of any other user, including administrators.
  • Attackers can falsify lesson-completion progress for arbitrary users.
Impact Analysis

If you use the Academy LMS plugin on your WordPress site, this vulnerability could have several impacts:

  • Unauthorized access to sensitive data: Attackers with minimal privileges (Subscriber-level) can read or modify private lesson notes belonging to other users, including administrators.
  • Data integrity issues: Attackers can overwrite or delete lesson notes, leading to loss of important information or unauthorized changes.
  • Falsified progress tracking: Attackers can manipulate lesson-completion records, which could affect course certifications, user progress tracking, or administrative oversight.

This could lead to reputational damage, loss of trust, or operational disruptions if the affected data is critical to your eLearning platform.

Compliance Impact

This vulnerability could impact compliance with several standards and regulations, depending on the nature of the data handled by the Academy LMS plugin:

  • GDPR (General Data Protection Regulation): If the plugin stores or processes personal data of EU citizens (e.g., user notes, progress records), unauthorized access or modification of this data could violate GDPR principles. Specifically, it may breach Article 5 (data integrity and confidentiality) and Article 32 (security of processing).
  • HIPAA (Health Insurance Portability and Accountability Act): If the plugin is used in a healthcare-related context and handles protected health information (PHI), this vulnerability could lead to unauthorized access or alteration of PHI, violating HIPAA's Security Rule and Privacy Rule.
  • Other standards: Depending on the industry, this vulnerability could also affect compliance with frameworks like ISO 27001 (information security management) or FERPA (Family Educational Rights and Privacy Act) if educational records are compromised.

Organizations should assess whether the affected data falls under any regulatory scope and take corrective actions to mitigate risks.

Detection Guidance

Detecting this vulnerability requires checking for signs of exploitation or verifying the presence of the vulnerable plugin version on your WordPress site. Since the vulnerability is related to specific AJAX handlers (save_lesson_note, get_lesson_note, and complete_lesson_video), you can look for unusual activity in your web server logs or WordPress logs involving these endpoints.

  • Check the installed version of the Academy LMS plugin. If it is version 3.8.0 or below, your site is vulnerable. You can do this by navigating to the WordPress admin dashboard, going to 'Plugins', and checking the version number next to 'Academy LMS'.
  • Review web server logs for requests to /wp-admin/admin-ajax.php with actions like 'save_lesson_note', 'get_lesson_note', or 'complete_lesson_video'. Look for unexpected or unauthorized access patterns, such as requests from unfamiliar IP addresses or unusual user roles.
  • Use a WordPress security plugin or tool to scan for known vulnerabilities in installed plugins. Tools like Wordfence, Sucuri, or WPScan can help identify if your site is running a vulnerable version of Academy LMS.

Example command to check the plugin version via the command line (if you have access to the WordPress installation directory):

  • grep -i 'Version' /path/to/wordpress/wp-content/plugins/academy-lms/academy-lms.php
Mitigation Strategies

To mitigate this vulnerability, follow these immediate steps:

  • Update the Academy LMS plugin to the latest version if a patch is available. The vendor may have released a fix in versions later than 3.8.0. Check the plugin's official website or the WordPress plugin repository for updates.
  • If no patch is available, consider disabling the plugin temporarily until a fix is released. This will prevent attackers from exploiting the vulnerability.
  • Restrict access to the vulnerable AJAX handlers by modifying the plugin's code or using a WordPress security plugin to block unauthorized access. For example, you can add checks to ensure that users can only access their own lesson notes and completion data.
  • Monitor your WordPress site for suspicious activity, such as unauthorized changes to lesson notes or completion statuses. Enable logging for the vulnerable endpoints to track any exploitation attempts.
  • Review user roles and permissions to ensure that only trusted users have Subscriber-level access or higher. Consider revoking unnecessary privileges from users who do not require them.
  • If you suspect that the vulnerability has already been exploited, audit the lesson notes and completion data for all users to identify any unauthorized modifications or deletions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9341. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart