CVE-2024-35171 – This vulnerability in Academy LMS WordPress plu... (How to Fix)

Q: What is the severity of CVE-2024-35171?

CVE-2024-35171 has a CVSS score of 5.3 (MEDIUM). This vulnerability in Academy LMS WordPress plugin exposes sensitive information to unauthorized actors. It affects Academy LMS versions up to 1.9.25, allowing attackers to access data they shouldn't have permission to view. WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

This vulnerability in Academy LMS WordPress plugin exposes sensitive information to unauthorized actors. It affects Academy LMS versions up to 1.9.25, allowing attackers to access data they shouldn't have permission to view. WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

Academy LMS WordPress Plugin

Versions: n/a through 1.9.25

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress installations using the Academy LMS plugin. The vulnerability exists in the plugin itself regardless of WordPress version.

📦 What is this software?

Academy Lms by Kodezen

View all CVEs affecting Academy Lms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive user data, course materials, or administrative information, potentially leading to data breaches, privacy violations, or intellectual property theft.

🟠

Likely Case

Unauthorized access to user information, course content, or other sensitive data stored within the LMS system.

🟢

If Mitigated

Limited exposure with proper access controls and monitoring, but still represents an information disclosure risk.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CWE-200 vulnerabilities typically involve straightforward information disclosure without complex exploitation requirements.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.26 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/academy/wordpress-academy-lms-plugin-1-9-25-sensitive-data-exposure-vulnerability

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find Academy LMS plugin
4. Click 'Update Now' if update is available
5. Alternatively, download version 1.9.26+ from WordPress repository and manually update

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the Academy LMS plugin until patched

wp plugin deactivate academy

Restrict Access

all

Implement IP whitelisting or firewall rules to restrict access to affected endpoints

🧯 If You Can't Patch

Implement strict access controls and monitoring for sensitive data access patterns
Consider migrating to alternative LMS solutions if patching is not feasible

🔍 How to Verify

Check if Vulnerable:

Check WordPress plugin version in admin panel or via wp cli: wp plugin get academy --field=version

Check Version:

wp plugin get academy --field=version

Verify Fix Applied:

Verify plugin version is 1.9.26 or higher and test sensitive data endpoints for proper access controls

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to Academy LMS endpoints
Multiple failed authentication attempts followed by successful data access
Access to sensitive data endpoints from unexpected IP addresses

Network Indicators:

Unusual traffic to Academy LMS API endpoints
Data exfiltration patterns from LMS-related URLs

SIEM Query:

source="wordpress.log" AND ("academy" OR "lms") AND (status=200 OR status=302) AND (uri CONTAINS "/api/" OR uri CONTAINS "/data/")

📊 Metadata

CVE ID: CVE-2024-35171

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-200

Published: May 14, 2024

Last Updated: January 27, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-35171, you might also want to check these: