Skip to main content
CVE Vulnerability Database

CVE-2026-5348: Academy LMS Auth Bypass Vulnerability

CVE-2026-5348 is an authentication bypass vulnerability in Academy LMS WordPress plugin that allows unauthenticated attackers to access private course curriculum data. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-5348 Overview

CVE-2026-5348 is an Insecure Direct Object Reference (IDOR) vulnerability in the Academy LMS WordPress plugin, affecting all versions up to and including 3.8.1. The plugin registers the /topics REST API endpoint with a permission callback set to __return_true, allowing unauthenticated access to course curriculum data. Attackers can enumerate course IDs to retrieve detailed curriculum content from private, draft, scheduled, or password-protected courses. The flaw is tracked under [CWE-639: Authorization Bypass Through User-Controlled Key].

Critical Impact

Unauthenticated attackers can retrieve curriculum information for non-public courses by iterating course IDs against the /topics REST endpoint.

Affected Products

  • Academy LMS – WordPress LMS Plugin for Complete eLearning Solution
  • Versions up to and including 3.8.1
  • WordPress installations exposing the plugin's REST API

Discovery Timeline

  • 2026-07-02 - CVE-2026-5348 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-5348

Vulnerability Analysis

The Academy LMS plugin exposes a REST API route at /topics intended to return curriculum topics for a course. The route registration uses __return_true as its permission_callback, which unconditionally grants access to any caller. No authentication check, capability verification, or enrollment validation runs before the handler executes.

The handler fetches curriculum data using a course ID supplied by the client. It does not inspect the course post status, so draft, scheduled, private, and password-protected courses return the same data as published ones. Enrollment checks are also absent, meaning users who have not purchased or enrolled in a course still receive its full curriculum.

The vulnerability aligns with [CWE-639] because access decisions rely on a user-controlled key (the course ID) with no server-side authorization enforcement.

Root Cause

The root cause is the misuse of __return_true for the endpoint's permission_callback. In WordPress REST API design, permission_callback is the primary gatekeeper for authorization. Setting it to __return_true explicitly disables that gate. The handler compounds the issue by omitting post-status filtering and enrollment verification inside the business logic.

Attack Vector

An unauthenticated remote attacker sends HTTP GET requests to the plugin's /topics REST endpoint, supplying sequential or guessed course IDs. Because course IDs are integers assigned by WordPress, enumeration is straightforward. The response contains structured curriculum data for any course matching the ID, regardless of its publication state or the requester's enrollment status.

The vulnerable code paths are documented in the Academy plugin course.php at line 50, course.php at line 77, and courses.php at line 1514. The fix is tracked in the WordPress Plugin Changeset.

Detection Methods for CVE-2026-5348

Indicators of Compromise

  • Unauthenticated HTTP GET requests to /wp-json/academy/v1/topics or similar plugin REST routes
  • Sequential enumeration patterns targeting incrementing course ID parameters
  • Access log entries showing curriculum data returned to unauthenticated clients
  • Elevated traffic volume from single source IPs iterating course IDs

Detection Strategies

  • Inspect WordPress access logs for /wp-json/academy/ requests originating from unauthenticated sessions
  • Deploy web application firewall rules that flag REST API enumeration against LMS endpoints
  • Correlate response payload sizes with course visibility metadata to spot unauthorized disclosure

Monitoring Recommendations

  • Enable REST API request logging on the WordPress host and forward events to a central log store
  • Alert on anomalous request rates targeting Academy LMS routes
  • Track HTTP 200 responses for course IDs that map to draft, private, or scheduled posts

How to Mitigate CVE-2026-5348

Immediate Actions Required

  • Update the Academy LMS plugin to a version later than 3.8.1 that includes the fix referenced in the plugin changeset
  • Block unauthenticated access to /wp-json/academy/ routes at the WAF or reverse proxy layer until patching is complete
  • Audit access logs for prior enumeration activity against the /topics endpoint

Patch Information

The vendor addressed the issue in a plugin update tracked by the Academy plugin changeset 3592849. Additional context is available in the Wordfence Vulnerability Report. Administrators should install the fixed release through the WordPress plugin manager and confirm the version reads above 3.8.1.

Workarounds

  • Restrict access to /wp-json/academy/v1/topics via WAF rules requiring authenticated sessions
  • Temporarily deactivate the Academy LMS plugin on sites hosting sensitive draft or private course content
  • Rotate any course IDs or curriculum content that may have been exposed before patching
bash
# Example nginx rule to require authentication for the vulnerable endpoint
location ~ ^/wp-json/academy/v1/topics {
    if ($http_cookie !~ "wordpress_logged_in") {
        return 403;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.