CVE-2026-5348
WordPress Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-5348 is an Insecure Direct Object Reference (IDOR) vulnerability in the Academy LMS – WordPress LMS Plugin for Complete eLearning Solution, developed by Kodezen. It affects all versions up to and including 3.8.1, and was published on July 2, 2026. The flaw allows unauthenticated attackers to access curriculum data for private, draft, scheduled, or password-protected courses by enumerating course IDs via the /topics REST API endpoint. It carries a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory, Wordfence).

Détails techniques

The root cause is classified as CWE-639 (Authorization Bypass Through User-Controlled Key). The /topics REST API endpoint in includes/api/course.php is registered with a permission callback hardcoded to __return_true, which unconditionally grants access to any caller without verifying authentication, course post status, or user enrollment. An attacker can exploit this by sending unauthenticated HTTP GET requests to the endpoint while iterating over numeric course IDs, retrieving detailed curriculum data for courses that should be restricted. Relevant vulnerable code is visible in the plugin's source at includes/api/course.php (lines 50 and 77) and includes/traits/courses.php (line 1514) (GitHub Advisory, Wordfence).

Impact

Successful exploitation results in unauthorized disclosure of course curriculum information, including content from courses explicitly restricted as private, draft, scheduled, or password-protected. The confidentiality impact is limited to course metadata and curriculum structure — there is no integrity or availability impact. While lateral movement is not applicable in this context, the exposure could undermine the business model of eLearning operators by allowing competitors or unauthorized users to access proprietary course content without purchase or enrollment (GitHub Advisory, Wordfence).

Étapes d’exploitation

  1. Reconnaissance: Identify WordPress sites running the Academy LMS plugin (version ≤ 3.8.1) using tools like WPScan, Shodan, or by inspecting page source for plugin indicators.
  2. Enumerate course IDs: Send unauthenticated HTTP GET requests to the /wp-json/academy/v1/topics REST API endpoint, iterating over numeric course ID parameters (e.g., ?course_id=1, ?course_id=2, etc.).
  3. Retrieve restricted curriculum data: For each valid course ID, the endpoint returns detailed curriculum information regardless of the course's publication status (private, draft, scheduled, or password-protected) or whether the requester is enrolled.
  4. Harvest data: Collect and aggregate curriculum structure, topic names, and lesson details from all accessible courses, including those not publicly listed (GitHub Advisory, Wordfence).

Indicateurs de compromis

  • Network: High volume of unauthenticated GET requests to /wp-json/academy/v1/topics with sequentially or randomly varying course_id parameters from a single or small set of IP addresses.
  • Logs: WordPress access logs showing repeated requests to the /topics REST API endpoint without authentication headers (no Authorization or session cookies), particularly with incrementing or randomized integer query parameters.
  • Logs: Unusual spikes in REST API traffic volume targeting the Academy LMS plugin endpoints outside of normal business hours.

Atténuation et solutions de contournement

Site administrators should update the Academy LMS plugin to a version newer than 3.8.1, which includes a patch that implements proper permission callbacks on the /topics REST API endpoint (GitHub Advisory). The patch changeset is available for review at the WordPress plugin repository. As a temporary workaround, administrators can implement rate limiting on REST API endpoints via a WAF or security plugin (e.g., Wordfence) to reduce the risk of automated course ID enumeration. Restricting REST API access to authenticated users globally (if operationally feasible) would also mitigate this issue (Wordfence).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté WordPress Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-5821HIGH8.1
  • image-optimization
NonOuiJul 02, 2026
CVE-2026-14249HIGH7.5
  • request-a-quote
NonOuiJul 02, 2026
CVE-2026-13704MEDIUM6.4
  • give
NonOuiJul 02, 2026
CVE-2026-5348MEDIUM5.3
  • academy
NonOuiJul 02, 2026
CVE-2026-13357MEDIUM4.9
  • houzez-property-feed
NonOuiJul 02, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités