Academy Learning Management System <5.9.1 - Cross-Site Scripting

Academy Learning Management System before 5.9.1 contains a cross-site scripting vulnerability via the Search parameter. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based...

Exploit for CVE-2025-15521

CVE-2025-15521 The Academy LMS – WordPress LMS Plugin for Comp...

CVE-2026-25372

Missing Authorization vulnerability in Kodezen LLC Academy LMS academy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Academy LMS: from n/a through = 3.5.3...

PT-2026-20714

Missing Authorization vulnerability in Kodezen LLC Academy LMS academy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Academy LMS: from n/a through = 3.5.3...

CVE-2025-71179

Creativeitem Academy LMS 7.0 contains reflected Cross-Site Scripting XSS vulnerabilities via the search parameter to the /academy/blogs endpoint, and the string parameter to the /academy/coursebundles/search/query endpoint. These vulnerabilities are distinct from the patch for CVE-2023-4119, whic...

CVE-2025-15521

The CVE-2025-15521 entry describes an unauthenticated privilege-escalation in the Academy LMS – WordPress LMS Plugin for Complete eLearning Solution, affecting versions up to 3.5.0. The root cause is improper identity validation during password updates: the reset handler accepts a publicly expose...

CVE-2025-15521 Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.5.0 - Unauthenticated Privilege Escalation via Account Takeover

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's identity prior to updating their password...

CVE-2025-15521

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's identity prior to updating their password...

CVE-2023-4973

A vulnerability was found in Academy LMS 6.2 on Windows. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /academy/tutor/filter of the component GET Parameter Handler. The manipulation of the argument...

CVE-2022-38553

Academy Learning Management System before v5.9.1 was discovered to contain a reflected cross-site scripting XSS vulnerability via the Search parameter...

CVE-2023-4119

A vulnerability has been found in Academy LMS 6.0 and classified as problematic. This vulnerability affects unknown code of the file /academy/home/courses. The manipulation of the argument query/sortby leads to cross site scripting. The attack can be initiated remotely. VDB-235966 is the identifi...

CVE-2023-53876

Academy LMS 6.1 contains a file upload vulnerability that allows authenticated users to upload malicious SVG files with stored cross-site scripting payloads. Attackers can inject malicious scripts through the profile avatar upload feature by modifying file extensions and embedding executable...

CVE-2023-53876

CVE-2023-53876 affects Academy LMS 6.1 and is a file-upload vulnerability that lets authenticated users upload malicious SVGs containing stored XSS via the profile avatar upload feature by altering extensions and embedding JavaScript. Root cause: lax file-type handling permitting SVG execution. I...

PT-2025-45559

Name of the Vulnerable Software and Affected Versions Academy LMS – WordPress LMS Plugin for Complete eLearning Solution versions prior to 3.3.9 Description The software is susceptible to a PHP Object Injection due to deserialization of untrusted input within the import all courses function. This...

CVE-2025-11086

Summary of CVE-2025-11086 (Academy LMS Pro for WordPress) : The plugin up to version 3.3.7 is vulnerable to unauthenticated privilege escalation during user registration via the Social Login addon. The root cause is improper validation of the user’s role before registering the new user, allowing ...

CVE-2025-59562

CVE-2025-59562 concerns the Academy LMS WordPress plugin. The issue is described as an Insecure Direct Object Reference / Missing Authorization (Authorization Bypass Through User-Controlled Key) that affects Academy LMS versions up to 3.3.4. Patch status in the CVE entry shows a fix, with the aff...

PT-2025-39040

Name of the Vulnerable Software and Affected Versions Academy LMS versions through 3.3.4 Description An authorization bypass exists due to incorrectly configured access control security levels. This allows exploitation through user-controlled keys. Recommendations Update Academy LMS to a version...

CVE-2024-32714

Missing Authorization vulnerability in Academy LMS academy.This issue affects Academy LMS: from n/a through 1.9.16...

CVE-2024-35171

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Academy LMS academy.This issue affects Academy LMS: from n/a through 1.9.25...

CVE-2024-33912

Missing Authorization vulnerability in Academy LMS.This issue affects Academy LMS: from n/a through 1.9.16...