Academy LMS <= 3.8.1 - Unauthenticated Insecure Direct Object Reference to Private Topic Disclosure
Summary
| CVE | CVE-2026-5348 |
|---|---|
| State | PUBLISHED |
| Assigner | Wordfence |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-07-02 06:16:14 UTC |
| Updated | 2026-07-02 15:17:11 UTC |
| Description | The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the '/topics' REST API endpoint being registered with a permission callback set to '__return_true', allowing unauthenticated access to course curriculum data without verifying the course's post status or user enrollment. This makes it possible for unauthenticated attackers to access detailed curriculum information for private, draft, scheduled, or password-protected courses by enumerating course IDs. |
Risk And Classification
Primary CVSS: v3.1 5.3 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS: 0.002620000 probability, percentile 0.175730000 (date 2026-07-04)
Problem Types: CWE-639 | CWE-639 CWE-639 Authorization Bypass Through User-Controlled Key
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| 3.1 | CNA | DECLARED | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
NoneAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Kodezen | Academy LMS WordPress LMS Plugin For Complete ELearning Solution | affected 3.8.1 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| plugins.trac.wordpress.org/browser/academy/trunk/includes/api/course.php | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/api/course.php | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/academy/trunk/includes/api/course.php | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/api/course.php | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/traits/courses.php | [email protected] | plugins.trac.wordpress.org | |
| plugins.trac.wordpress.org/browser/academy/trunk/includes/traits/courses.php | [email protected] | plugins.trac.wordpress.org | |
| www.wordfence.com/threat-intel/vulnerabilities/id/b84ae3e0-de4f-41d6-8944-fadaf... | [email protected] | www.wordfence.com | |
| plugins.trac.wordpress.org/changeset | [email protected] | plugins.trac.wordpress.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Md. Moniruzzaman Prodhan (NomanProdhan) (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-04-01T16:54:17.000Z | Vendor Notified |
| CNA | 2026-07-01T00:00:00.000Z | Disclosed |
There are currently no legacy QID mappings associated with this CVE.