CVE-2025-15521 (CVSS 9.8): Critical Academy LMS Flaw Exploited for Admin Takeover

A critical security vulnerability has been unearthed in the Academy LMS plugin for WordPress, a popular tool used by thousands of educators to sell courses and build eLearning platforms. The flaw, tracked as CVE-2025-15521, carries a near-maximum CVSS severity score of 9.8, signaling an immediate danger to any website running the software.

The vulnerability allows unauthenticated attackers to seize control of administrator accounts, effectively handing over the keys to the entire website without ever needing a password.

The core of the issue lies in how the plugin handles password updates. Typically, changing a user’s password requires strict identity verification—usually knowing the old password or having an active, authenticated session.

However, versions of Academy LMS up to and including 3.5.0 fail to validate the user’s identity properly. instead, the system relies “solely on a publicly-exposed nonce for authorization.”

In WordPress development, a “nonce” (number used once) is often used to protect against Cross-Site Request Forgery (CSRF), but it is not a substitute for user authentication. Because this authorization token is exposed publicly, an attacker can scrape it and use it to send a password reset request for any user on the site.

The impact of this architectural oversight is catastrophic. An attacker does not need to be logged in to exploit the flaw. By leveraging the exposed nonce, they can:

• Change the password of any registered user.
• Target Administrator accounts specifically.
• Gain full administrative access to the WordPress dashboard.

Once inside as an admin, an attacker can steal student data, inject malware, delete courses, or redirect payments.

Security firm Wordfence has already begun detecting attempts to weaponize this flaw in the wild. In a single 24-hour window, their firewalls blocked 76 separate attacks targeting this specific vulnerability.

With over 2,000 active installations, the attack surface is significant, and the low barrier to entry for exploitation makes this a prime target for automated botnets.

Administrators using the Academy LMS plugin should check their installation version immediately. If you are running version 3.5.0 or older, you are vulnerable.

Site owners are urged to update the plugin to the latest patched version immediately to close this critical security hole before their classrooms are compromised.

Related Posts:

• Critical Flaws Found in Popular LearnPress LMS Plugin for WordPress
• Apple Opens First US Manufacturing Academy in Detroit, Boosting Smart Factory Education & AI Integration
• From Cisco Student Rivalry to Global Hackers: Salt Typhoon Breaches 80+ Telecos for Intelligence