CVE-2025-12099: 
WordPress vulnerability analysis and mitigation

The Academy LMS WordPress plugin (versions up to 3.3.8) contains a PHP Object Injection vulnerability identified as CVE-2025-12099. The vulnerability exists in the 'importallcourses' function where untrusted input can be deserialized, potentially leading to security issues. This vulnerability affects authenticated users with Administrator-level access and above (NVD).

The vulnerability stems from improper handling of deserialization of untrusted input in the 'importallcourses' function. The issue is classified as CWE-502 (Deserialization of Untrusted Data). The vulnerability has been assigned a CVSS v3.1 base score of 7.2 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility with low attack complexity, though requiring high privileges (NVD).

The vulnerability's impact is contingent on the presence of a POP (Property-Oriented Programming) chain in additional plugins or themes installed on the target system. If such a chain exists, attackers could potentially delete arbitrary files, retrieve sensitive data, or execute code. However, without a known POP chain present in the vulnerable software itself, the direct impact is limited (NVD).

Users should upgrade to a version newer than 3.3.8 when available. Given the requirement for administrator-level access, ensuring proper access control and limiting administrator accounts to trusted users can help mitigate the risk (NVD).