CVE-2025-15521
📋 TL;DR
This vulnerability allows unauthenticated attackers to change any user's password in the Academy LMS WordPress plugin, including administrator accounts, leading to complete account takeover. All WordPress sites using Academy LMS plugin versions up to 3.5.0 are affected. Attackers can gain administrative access to vulnerable WordPress installations.
💻 Affected Systems
- Academy LMS – WordPress LMS Plugin for Complete eLearning Solution
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of WordPress site with administrative access, data theft, malware installation, and potential lateral movement to other systems.
Likely Case
Administrative account takeover leading to defacement, data exfiltration, or installation of backdoors for persistent access.
If Mitigated
Limited impact if strong network segmentation, web application firewalls, and monitoring are in place to detect and block exploitation attempts.
🎯 Exploit Status
The vulnerability is straightforward to exploit as it requires no authentication and uses publicly accessible nonces for authorization.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.5.1 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/academy/tags/3.5.1
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Academy LMS plugin. 4. Click 'Update Now' if update is available. 5. If no update appears, manually download version 3.5.1+ from WordPress.org and replace plugin files.
🔧 Temporary Workarounds
Disable Academy LMS Plugin
linuxTemporarily disable the vulnerable plugin until patching is possible.
wp plugin deactivate academy
Web Application Firewall Rule
allBlock requests to the vulnerable password reset endpoint.
Block POST requests to /wp-admin/admin-ajax.php with action=academy_reset_password
🧯 If You Can't Patch
- Immediately disable the Academy LMS plugin and use alternative LMS solutions.
- Implement strict network access controls to limit exposure of the WordPress admin interface.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Academy LMS → Version number. If version is 3.5.0 or lower, the site is vulnerable.Check Version:
wp plugin get academy --field=versionVerify Fix Applied:
Verify Academy LMS plugin version is 3.5.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=academy_reset_password
- Multiple failed login attempts followed by successful login from new IP
- Password reset logs for administrator accounts
Network Indicators:
- HTTP POST requests to WordPress admin-ajax.php with academy_reset_password parameter from unauthenticated sources
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="academy_reset_password"