
PEACH
Un cadre d’isolation des locataires
CVE-2026-5348 is an Insecure Direct Object Reference (IDOR) vulnerability in the Academy LMS – WordPress LMS Plugin for Complete eLearning Solution, developed by Kodezen. It affects all versions up to and including 3.8.1, and was published on July 2, 2026. The flaw allows unauthenticated attackers to access curriculum data for private, draft, scheduled, or password-protected courses by enumerating course IDs via the /topics REST API endpoint. It carries a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory, Wordfence).
The root cause is classified as CWE-639 (Authorization Bypass Through User-Controlled Key). The /topics REST API endpoint in includes/api/course.php is registered with a permission callback hardcoded to __return_true, which unconditionally grants access to any caller without verifying authentication, course post status, or user enrollment. An attacker can exploit this by sending unauthenticated HTTP GET requests to the endpoint while iterating over numeric course IDs, retrieving detailed curriculum data for courses that should be restricted. Relevant vulnerable code is visible in the plugin's source at includes/api/course.php (lines 50 and 77) and includes/traits/courses.php (line 1514) (GitHub Advisory, Wordfence).
Successful exploitation results in unauthorized disclosure of course curriculum information, including content from courses explicitly restricted as private, draft, scheduled, or password-protected. The confidentiality impact is limited to course metadata and curriculum structure — there is no integrity or availability impact. While lateral movement is not applicable in this context, the exposure could undermine the business model of eLearning operators by allowing competitors or unauthorized users to access proprietary course content without purchase or enrollment (GitHub Advisory, Wordfence).
/wp-json/academy/v1/topics REST API endpoint, iterating over numeric course ID parameters (e.g., ?course_id=1, ?course_id=2, etc.)./wp-json/academy/v1/topics with sequentially or randomly varying course_id parameters from a single or small set of IP addresses./topics REST API endpoint without authentication headers (no Authorization or session cookies), particularly with incrementing or randomized integer query parameters.Site administrators should update the Academy LMS plugin to a version newer than 3.8.1, which includes a patch that implements proper permission callbacks on the /topics REST API endpoint (GitHub Advisory). The patch changeset is available for review at the WordPress plugin repository. As a temporary workaround, administrators can implement rate limiting on REST API endpoints via a WAF or security plugin (e.g., Wordfence) to reduce the risk of automated course ID enumeration. Restricting REST API access to authenticated users globally (if operationally feasible) would also mitigate this issue (Wordfence).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."