CVE-2025-59562: 
WordPress vulnerability analysis and mitigation

An Authorization Bypass Through User-Controlled Key vulnerability was discovered in Academy LMS WordPress plugin versions through 3.3.4. The vulnerability was identified on September 22, 2025, and assigned CVE-2025-59562. The issue specifically affects the Academy LMS plugin's access control security levels, potentially allowing authenticated users with Instructor privileges or higher to perform unauthorized actions (Patchstack).

The vulnerability is classified as an Insecure Direct Object References (IDOR) issue, which falls under the CWE-639 category (Authorization Bypass Through User-Controlled Key). It received a CVSS v3.1 base score of 5.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H, indicating network accessibility with low attack complexity, though requiring high privileges (Patchstack).

The vulnerability could allow malicious actors to bypass authorization mechanisms, authentication controls, access sensitive files/folders, or interact with the database in unintended ways. The specific impact varies case by case, but the overall severity is considered low to medium based on the CVSS score (Patchstack).

The vulnerability has been fixed in Academy LMS version 3.3.5. Users are advised to update to version 3.3.5 or later to remove the vulnerability. The security issue is considered to have a low severity impact and is unlikely to be exploited (Patchstack).