CVE-2025-59562 MEDIUM

CVE-2025-59562: WordPress Academy LMS Plugin <= 3.3.4 - Insecure Direct Object References (IDOR) Vulnerability

Vendor Kodezen Llc
Product Academy LMS
Weakness CWE-639 · IDOR
Published September 22, 2025
Last update April 28, 2026

CVSS base score

5.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H

What the vulnerability does

01Description

Authorization Bypass Through User-Controlled Key vulnerability in Kodezen LLC Academy LMS academy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Academy LMS: from n/a through <= 3.3.4.

Explanation of Vulnerability in Simple Terms

02Summary

Academy LMS versions up to 3.3.4 contain an authorization flaw that allows high-privilege users to trigger a denial-of-service condition affecting site availability. The vulnerability requires administrative or elevated account access and does not involve user interaction. A low-level information disclosure may also occur. Update to a version newer than 3.3.4.

What an attacker can do

03Attacker Capabilities

Trigger a denial-of-service condition and read limited sensitive information.

Potential impact on your site

04Site Impact

Site availability may be disrupted by a privileged user; some data may be exposed.

Conditions required to exploit

05Prerequisites

Attacker must have high-privilege account access (admin or equivalent role).

Key dates

06Disclosure timeline

September 22, 2025 CVE published
April 28, 2026 Record updated