{"api_version":"1","generated_at":"2026-07-16T10:51:04+00:00","cve":"CVE-2026-5348","urls":{"html":"https://cve.report/CVE-2026-5348","api":"https://cve.report/api/cve/CVE-2026-5348.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-5348","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-5348"},"summary":{"title":"Academy LMS <= 3.8.1 - Unauthenticated Insecure Direct Object Reference to Private Topic Disclosure","description":"The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the '/topics' REST API endpoint being registered with a permission callback set to '__return_true', allowing unauthenticated access to course curriculum data without verifying the course's post status or user enrollment. This makes it possible for unauthenticated attackers to access detailed curriculum information for private, draft, scheduled, or password-protected courses by enumerating course IDs.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2026-07-02 06:16:14","updated_at":"2026-07-02 15:17:11"},"problem_types":["CWE-639","CWE-639 CWE-639 Authorization Bypass Through User-Controlled Key"],"metrics":[{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","data":{"baseScore":5.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://plugins.trac.wordpress.org/browser/academy/trunk/includes/api/course.php#L77","name":"https://plugins.trac.wordpress.org/browser/academy/trunk/includes/api/course.php#L77","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/api/course.php#L77","name":"https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/api/course.php#L77","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/browser/academy/trunk/includes/api/course.php#L50","name":"https://plugins.trac.wordpress.org/browser/academy/trunk/includes/api/course.php#L50","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/api/course.php#L50","name":"https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/api/course.php#L50","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/traits/courses.php#L1514","name":"https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/traits/courses.php#L1514","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/browser/academy/trunk/includes/traits/courses.php#L1514","name":"https://plugins.trac.wordpress.org/browser/academy/trunk/includes/traits/courses.php#L1514","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/b84ae3e0-de4f-41d6-8944-fadaf6fdcf79?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/b84ae3e0-de4f-41d6-8944-fadaf6fdcf79?source=cve","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3592849%40academy&new=3592849%40academy&sfp_email=&sfph_mail=","name":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3592849%40academy&new=3592849%40academy&sfp_email=&sfph_mail=","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-5348","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-5348","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"kodezen","product":"Academy LMS – WordPress LMS Plugin for Complete eLearning Solution","version":"affected 3.8.1 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-04-01T16:54:17.000Z","lang":"en","value":"Vendor Notified"},{"source":"CNA","time":"2026-07-01T00:00:00.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Md. Moniruzzaman Prodhan (NomanProdhan)","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"5348","cve":"CVE-2026-5348","epss":"0.002620000","percentile":"0.175730000","score_date":"2026-07-04","updated_at":"2026-07-05 00:02:26"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-5348","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-07-02T14:51:06.740335Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-02T14:52:06.995Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Academy LMS – WordPress LMS Plugin for Complete eLearning Solution","vendor":"kodezen","versions":[{"lessThanOrEqual":"3.8.1","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Md. Moniruzzaman Prodhan (NomanProdhan)"}],"descriptions":[{"lang":"en","value":"The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the '/topics' REST API endpoint being registered with a permission callback set to '__return_true', allowing unauthenticated access to course curriculum data without verifying the course's post status or user enrollment. This makes it possible for unauthenticated attackers to access detailed curriculum information for private, draft, scheduled, or password-protected courses by enumerating course IDs."}],"metrics":[{"cvssV3_1":{"baseScore":5.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-639","description":"CWE-639 Authorization Bypass Through User-Controlled Key","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-02T05:35:13.968Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/b84ae3e0-de4f-41d6-8944-fadaf6fdcf79?source=cve"},{"url":"https://plugins.trac.wordpress.org/browser/academy/trunk/includes/api/course.php#L50"},{"url":"https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/api/course.php#L50"},{"url":"https://plugins.trac.wordpress.org/browser/academy/trunk/includes/api/course.php#L77"},{"url":"https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/api/course.php#L77"},{"url":"https://plugins.trac.wordpress.org/browser/academy/trunk/includes/traits/courses.php#L1514"},{"url":"https://plugins.trac.wordpress.org/browser/academy/tags/3.5.3/includes/traits/courses.php#L1514"},{"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3592849%40academy&new=3592849%40academy&sfp_email=&sfph_mail="}],"timeline":[{"lang":"en","time":"2026-04-01T16:54:17.000Z","value":"Vendor Notified"},{"lang":"en","time":"2026-07-01T00:00:00.000Z","value":"Disclosed"}],"title":"Academy LMS <= 3.8.1 - Unauthenticated Insecure Direct Object Reference to Private Topic Disclosure"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2026-5348","datePublished":"2026-07-02T05:35:13.968Z","dateReserved":"2026-04-01T16:39:04.047Z","dateUpdated":"2026-07-02T14:52:06.995Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-02 06:16:14","lastModifiedDate":"2026-07-02 15:17:11","problem_types":["CWE-639","CWE-639 CWE-639 Authorization Bypass Through User-Controlled Key"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-02T14:51:06.740335Z","id":"CVE-2026-5348","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"5348","Ordinal":"1","Title":"Academy LMS <= 3.8.1 - Unauthenticated Insecure Direct Object Re","CVE":"CVE-2026-5348","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"5348","Ordinal":"1","NoteData":"The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the '/topics' REST API endpoint being registered with a permission callback set to '__return_true', allowing unauthenticated access to course curriculum data without verifying the course's post status or user enrollment. This makes it possible for unauthenticated attackers to access detailed curriculum information for private, draft, scheduled, or password-protected courses by enumerating course IDs.","Type":"Description","Title":"Academy LMS <= 3.8.1 - Unauthenticated Insecure Direct Object Re"}]}}}