CVE-2026-5348 Overview
CVE-2026-5348 is an Insecure Direct Object Reference (IDOR) vulnerability in the Academy LMS WordPress plugin, affecting all versions up to and including 3.8.1. The plugin registers the /topics REST API endpoint with a permission callback set to __return_true, allowing unauthenticated access to course curriculum data. Attackers can enumerate course IDs to retrieve detailed curriculum content from private, draft, scheduled, or password-protected courses. The flaw is tracked under [CWE-639: Authorization Bypass Through User-Controlled Key].
Critical Impact
Unauthenticated attackers can retrieve curriculum information for non-public courses by iterating course IDs against the /topics REST endpoint.
Affected Products
- Academy LMS – WordPress LMS Plugin for Complete eLearning Solution
- Versions up to and including 3.8.1
- WordPress installations exposing the plugin's REST API
Discovery Timeline
- 2026-07-02 - CVE-2026-5348 published to NVD
- 2026-07-02 - Last updated in NVD database
Technical Details for CVE-2026-5348
Vulnerability Analysis
The Academy LMS plugin exposes a REST API route at /topics intended to return curriculum topics for a course. The route registration uses __return_true as its permission_callback, which unconditionally grants access to any caller. No authentication check, capability verification, or enrollment validation runs before the handler executes.
The handler fetches curriculum data using a course ID supplied by the client. It does not inspect the course post status, so draft, scheduled, private, and password-protected courses return the same data as published ones. Enrollment checks are also absent, meaning users who have not purchased or enrolled in a course still receive its full curriculum.
The vulnerability aligns with [CWE-639] because access decisions rely on a user-controlled key (the course ID) with no server-side authorization enforcement.
Root Cause
The root cause is the misuse of __return_true for the endpoint's permission_callback. In WordPress REST API design, permission_callback is the primary gatekeeper for authorization. Setting it to __return_true explicitly disables that gate. The handler compounds the issue by omitting post-status filtering and enrollment verification inside the business logic.
Attack Vector
An unauthenticated remote attacker sends HTTP GET requests to the plugin's /topics REST endpoint, supplying sequential or guessed course IDs. Because course IDs are integers assigned by WordPress, enumeration is straightforward. The response contains structured curriculum data for any course matching the ID, regardless of its publication state or the requester's enrollment status.
The vulnerable code paths are documented in the Academy plugin course.php at line 50, course.php at line 77, and courses.php at line 1514. The fix is tracked in the WordPress Plugin Changeset.
Detection Methods for CVE-2026-5348
Indicators of Compromise
- Unauthenticated HTTP GET requests to /wp-json/academy/v1/topics or similar plugin REST routes
- Sequential enumeration patterns targeting incrementing course ID parameters
- Access log entries showing curriculum data returned to unauthenticated clients
- Elevated traffic volume from single source IPs iterating course IDs
Detection Strategies
- Inspect WordPress access logs for /wp-json/academy/ requests originating from unauthenticated sessions
- Deploy web application firewall rules that flag REST API enumeration against LMS endpoints
- Correlate response payload sizes with course visibility metadata to spot unauthorized disclosure
Monitoring Recommendations
- Enable REST API request logging on the WordPress host and forward events to a central log store
- Alert on anomalous request rates targeting Academy LMS routes
- Track HTTP 200 responses for course IDs that map to draft, private, or scheduled posts
How to Mitigate CVE-2026-5348
Immediate Actions Required
- Update the Academy LMS plugin to a version later than 3.8.1 that includes the fix referenced in the plugin changeset
- Block unauthenticated access to /wp-json/academy/ routes at the WAF or reverse proxy layer until patching is complete
- Audit access logs for prior enumeration activity against the /topics endpoint
Patch Information
The vendor addressed the issue in a plugin update tracked by the Academy plugin changeset 3592849. Additional context is available in the Wordfence Vulnerability Report. Administrators should install the fixed release through the WordPress plugin manager and confirm the version reads above 3.8.1.
Workarounds
- Restrict access to /wp-json/academy/v1/topics via WAF rules requiring authenticated sessions
- Temporarily deactivate the Academy LMS plugin on sites hosting sensitive draft or private course content
- Rotate any course IDs or curriculum content that may have been exposed before patching
# Example nginx rule to require authentication for the vulnerable endpoint
location ~ ^/wp-json/academy/v1/topics {
if ($http_cookie !~ "wordpress_logged_in") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

