CVE-2026-5348 (GCVE-0-2026-5348)

Vulnerability from cvelistv5 – Published: 2026-07-02 05:35 – Updated: 2026-07-02 14:52
VLAI
Title
Academy LMS <= 3.8.1 - Unauthenticated Insecure Direct Object Reference to Private Topic Disclosure
Summary
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the '/topics' REST API endpoint being registered with a permission callback set to '__return_true', allowing unauthenticated access to course curriculum data without verifying the course's post status or user enrollment. This makes it possible for unauthenticated attackers to access detailed curriculum information for private, draft, scheduled, or password-protected courses by enumerating course IDs.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
Impacted products
Credits
Md. Moniruzzaman Prodhan (NomanProdhan)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-5348",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-02T14:51:06.740335Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-02T14:52:06.995Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Academy LMS \u2013 WordPress LMS Plugin for Complete eLearning Solution",
          "vendor": "kodezen",
          "versions": [
            {
              "lessThanOrEqual": "3.8.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Md. Moniruzzaman Prodhan (NomanProdhan)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Academy LMS \u2013 WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the \u0027/topics\u0027 REST API endpoint being registered with a permission callback set to \u0027__return_true\u0027, allowing unauthenticated access to course curriculum data without verifying the course\u0027s post status or user enrollment. This makes it possible for unauthenticated attackers to access detailed curriculum information for private, draft, scheduled, or password-protected courses by enumerating course IDs."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-02T05:35:13.968Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b84ae3e0-de4f-41d6-8944-fadaf6fdcf79?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/academy/trunk/includes/api/course.php#L50"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/api/course.php#L50"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/academy/trunk/includes/api/course.php#L77"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/api/course.php#L77"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/academy/trunk/includes/traits/courses.php#L1514"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/traits/courses.php#L1514"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3592849%40academy\u0026new=3592849%40academy\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-01T16:54:17.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-07-01T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Academy LMS \u003c= 3.8.1 - Unauthenticated Insecure Direct Object Reference to Private Topic Disclosure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-5348",
    "datePublished": "2026-07-02T05:35:13.968Z",
    "dateReserved": "2026-04-01T16:39:04.047Z",
    "dateUpdated": "2026-07-02T14:52:06.995Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-5348",
      "date": "2026-07-04",
      "epss": "0.00262",
      "percentile": "0.17573"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-5348\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2026-07-02T06:16:14.073\",\"lastModified\":\"2026-07-02T15:17:11.593\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Academy LMS \u2013 WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the \u0027/topics\u0027 REST API endpoint being registered with a permission callback set to \u0027__return_true\u0027, allowing unauthenticated access to course curriculum data without verifying the course\u0027s post status or user enrollment. This makes it possible for unauthenticated attackers to access detailed curriculum information for private, draft, scheduled, or password-protected courses by enumerating course IDs.\"}],\"affected\":[{\"source\":\"security@wordfence.com\",\"affectedData\":[{\"vendor\":\"kodezen\",\"product\":\"Academy LMS \u2013 WordPress LMS Plugin for Complete eLearning Solution\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"0\",\"lessThanOrEqual\":\"3.8.1\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-07-02T14:51:06.740335Z\",\"id\":\"CVE-2026-5348\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/api/course.php#L50\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/api/course.php#L77\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/traits/courses.php#L1514\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/academy/trunk/includes/api/course.php#L50\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/academy/trunk/includes/api/course.php#L77\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/academy/trunk/includes/traits/courses.php#L1514\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3592849%40academy\u0026new=3592849%40academy\u0026sfp_email=\u0026sfph_mail=\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/b84ae3e0-de4f-41d6-8944-fadaf6fdcf79?source=cve\",\"source\":\"security@wordfence.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2026-07-02T05:35:13.968Z\"}, \"affected\": [{\"vendor\": \"kodezen\", \"product\": \"Academy LMS \\u2013 WordPress LMS Plugin for Complete eLearning Solution\", \"versions\": [{\"version\": \"0\", \"status\": \"affected\", \"lessThanOrEqual\": \"3.8.1\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Academy LMS \\u2013 WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the \u0027/topics\u0027 REST API endpoint being registered with a permission callback set to \u0027__return_true\u0027, allowing unauthenticated access to course curriculum data without verifying the course\u0027s post status or user enrollment. This makes it possible for unauthenticated attackers to access detailed curriculum information for private, draft, scheduled, or password-protected courses by enumerating course IDs.\"}], \"title\": \"Academy LMS \u003c= 3.8.1 - Unauthenticated Insecure Direct Object Reference to Private Topic Disclosure\", \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/b84ae3e0-de4f-41d6-8944-fadaf6fdcf79?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/academy/trunk/includes/api/course.php#L50\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/api/course.php#L50\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/academy/trunk/includes/api/course.php#L77\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/api/course.php#L77\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/academy/trunk/includes/traits/courses.php#L1514\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/traits/courses.php#L1514\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3592849%40academy\u0026new=3592849%40academy\u0026sfp_email=\u0026sfph_mail=\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"description\": \"CWE-639 Authorization Bypass Through User-Controlled Key\", \"cweId\": \"CWE-639\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\"}}], \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Md. Moniruzzaman Prodhan (NomanProdhan)\"}], \"timeline\": [{\"time\": \"2026-04-01T16:54:17.000Z\", \"lang\": \"en\", \"value\": \"Vendor Notified\"}, {\"time\": \"2026-07-01T00:00:00.000Z\", \"lang\": \"en\", \"value\": \"Disclosed\"}]}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-5348\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-07-02T14:51:06.740335Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-07-02T14:51:12.519Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-5348\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"Wordfence\", \"dateReserved\": \"2026-04-01T16:39:04.047Z\", \"datePublished\": \"2026-07-02T05:35:13.968Z\", \"dateUpdated\": \"2026-07-02T14:52:06.995Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…