CVE-2025-12098
📋 TL;DR
This vulnerability in the Academy LMS WordPress plugin exposes sensitive information including Facebook App Secret to unauthenticated attackers when Facebook Social Login is enabled. All WordPress sites using Academy LMS plugin versions up to 3.3.8 are affected. Attackers can extract credentials without authentication.
💻 Affected Systems
- Academy LMS – WordPress LMS Plugin for Complete eLearning Solution
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain Facebook App Secret, potentially compromising associated Facebook applications, leading to unauthorized access to user accounts, data theft, or account takeover.
Likely Case
Attackers extract Facebook App Secret and use it to bypass authentication mechanisms, potentially accessing user data or performing unauthorized actions through the Facebook API.
If Mitigated
With proper controls like disabling Facebook Social Login or network segmentation, impact is limited to information disclosure without direct system compromise.
🎯 Exploit Status
Exploitation requires simple HTTP requests to specific endpoints that expose sensitive data in responses.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.9 or later
Vendor Advisory: https://academylms.net/whats-new/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Academy LMS plugin. 4. Click 'Update Now' if update available. 5. If no update available, download latest version from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Facebook Social Login
allTemporarily disable the vulnerable Facebook Social Login feature until patching is possible.
Navigate to Academy LMS settings in WordPress admin and disable Facebook Social Login option
Restrict Access to WordPress Admin
linuxImplement IP whitelisting or VPN requirements for accessing WordPress admin interface.
Use .htaccess rules or web application firewall to restrict admin access
🧯 If You Can't Patch
- Disable the Academy LMS plugin completely until patching is possible
- Implement web application firewall rules to block requests to vulnerable endpoints
🔍 How to Verify
Check if Vulnerable:
Check if Academy LMS plugin is installed and version is 3.3.8 or earlier, and verify if Facebook Social Login is enabled in plugin settings.Check Version:
Check WordPress admin panel > Plugins > Academy LMS version, or examine wp-content/plugins/academy-lms/academy-lms.php file version header.Verify Fix Applied:
After updating, confirm plugin version is 3.3.9 or later in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to Academy LMS endpoints, particularly those related to social login functionality
- Multiple failed authentication attempts from new IP addresses
Network Indicators:
- HTTP requests to /wp-content/plugins/academy-lms/ endpoints with parameters related to social login
- Unusual outbound connections to Facebook API from WordPress server
SIEM Query:
source="wordpress_logs" AND (uri="/wp-content/plugins/academy-lms/" OR user_agent CONTAINS "Academy LMS") AND status=200