CVE-2025-12099
📋 TL;DR
This vulnerability allows authenticated WordPress administrators to inject PHP objects through the Academy LMS plugin's import_all_courses function. The impact depends on whether other plugins or themes with POP chains are installed. Only WordPress sites using vulnerable Academy LMS plugin versions are affected.
💻 Affected Systems
- Academy LMS – WordPress LMS Plugin for Complete eLearning Solution
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
If combined with a POP chain from another plugin/theme, attackers could execute arbitrary code, delete files, or steal sensitive data, potentially leading to complete site compromise.
Likely Case
Limited impact since no POP chain exists in the vulnerable software itself; exploitation requires specific additional vulnerable components to be present on the target system.
If Mitigated
With proper access controls limiting administrator accounts and regular plugin updates, the risk is minimal as exploitation requires both vulnerable Academy LMS and another vulnerable component.
🎯 Exploit Status
Exploitation requires administrator credentials and depends on finding compatible POP chains in other installed components, making reliable exploitation difficult.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.9 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3390420/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Academy LMS plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.3.9+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Remove vulnerable function access
allDisable or restrict access to the import_all_courses functionality
Edit wp-content/plugins/academy/includes/ajax/course.php and comment out or remove vulnerable code around line 815
🧯 If You Can't Patch
- Restrict administrator accounts to only essential personnel and implement strong authentication
- Audit and remove unnecessary plugins/themes that could provide POP chains for exploitation
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Academy LMS → Version number. If version is 3.3.8 or lower, you are vulnerable.Check Version:
wp plugin get academy --field=version (if WP-CLI installed) or check WordPress admin interfaceVerify Fix Applied:
After updating, verify Academy LMS plugin version shows 3.3.9 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual administrator activity, especially related to course imports
- PHP errors related to unserialize() or object injection
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with 'action=import_all_courses' parameter
SIEM Query:
source="wordpress.log" AND "import_all_courses" AND ("unserialize" OR "PHP object")