vulnerability

WordPress Plugin: academy-pro: CVE-2025-11086: Improper Privilege Management

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
9	(AV:N/AC:M/Au:N/C:C/I:C/A:C)	Oct 21, 2025	Oct 22, 2025	Oct 23, 2025

Severity

CVSS

(AV:N/AC:M/Au:N/C:C/I:C/A:C)

Published

Oct 21, 2025

Added

Oct 22, 2025

Modified

Oct 23, 2025

Description

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.7. This is due to the plugin not properly validating a user's role prior to registering a user via the Social Login addon. This makes it possible for unauthenticated attackers to update their role to Administrator when registering on the site.

Solution

academy-pro-plugin-cve-2025-11086

References

URL-https://www.cve.org/CVERecord?id=CVE-2025-11086
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/0f42f0be-5386-448b-9e65-5d2584cc2175?source=api-prod
CVE-2025-11086
https://attackerkb.com/topics/CVE-2025-11086
CWE-269

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today