CVE-2025-15521

Critical

Published: 21 January 2026

Published

21 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 34.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a…

user's identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and gain access to their account.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Mandates enforcement of approved authorizations, directly preventing unauthorized password updates due to inadequate identity validation beyond a public nonce.

IA-5 Authenticator Management good match

prevent

Requires protection of authenticators from unauthorized modification, addressing the lack of identity verification before password changes.

AC-2 Account Management partial match

prevent

Establishes procedures for modifying accounts and credentials securely, mitigating risks from arbitrary password changes without proper authorization.

Security SummaryAI

CVE-2025-15521 is a privilege escalation vulnerability via account takeover in the Academy LMS – WordPress LMS Plugin for Complete eLearning Solution for WordPress, affecting all versions up to and including 3.5.0. The issue arises because the plugin does not properly validate a user's identity prior to updating their password, instead relying solely on a publicly-exposed nonce for authorization. Published on 2026-01-21, it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-639 (Authorization Bypass Through User-Controlled Key).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction or privileges required. By leveraging the inadequate authorization, they can change the password of arbitrary users, including administrators, thereby achieving full account takeover and potential control over the WordPress site.

Advisories point to the vulnerable code at line 1581 in includes/functions.php of version 3.5.0, as shown in the WordPress plugins trac repository. Wordfence threat intelligence provides further details on the issue via its vulnerability database entry.

Details

CWE(s): CWE-639

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1098 Account Manipulation Persistence

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

attack.mitre.org →

Why these techniques?

T1190: Unauthenticated exploitation of public-facing WordPress plugin vulnerability. T1098: Enables unauthorized password changes for arbitrary users including admins, facilitating account manipulation and takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://plugins.trac.wordpress.org/browser/academy/tags/3.5.0/includes/functions.php#L1581
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/6687ebbe-fdf4-4ecb-bf59-034bb4b0104c?source=cve
security@wordfence.com