CVE-2025-11086: 
WordPress vulnerability analysis and mitigation

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution is vulnerable to privilege escalation in versions up to and including 3.3.7. The vulnerability was discovered and disclosed on October 22, 2025. The issue affects the plugin's Social Login addon functionality (NVD).

The vulnerability stems from improper validation of user roles during the registration process via the Social Login addon. When users register through this addon, the plugin fails to properly validate their role assignments, allowing unauthenticated attackers to elevate their privileges to Administrator level. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 HIGH (Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability allows unauthenticated attackers to gain administrator privileges on affected WordPress sites. This level of access enables complete control over the website, including the ability to modify content, install or remove plugins and themes, manage users, and potentially compromise the entire website (NVD).

The vulnerability has been patched in version 3.3.8 of the Academy LMS plugin, released on October 6, 2025. Site administrators are strongly advised to update to this version immediately. The update includes improvements to form builder registration information display and user profile editing capabilities (Academy LMS).