Academy LMS WordPress Plugin PHP Object Injection Vulnerability

A PHP Object Injection vulnerability has been identified in the Academy LMS WordPress plugin, specifically in versions through 3.3.8. The issue arises in the 'import_all_courses' function, where untrusted input is deserialized. This vulnerability allows authenticated attackers with Administrator-level access to inject a PHP object. However, without a known PHP Object Injection chain in the vulnerable software, the vulnerability is inactive unless another plugin or theme with a PHP Object Injection chain is present. If such a chain exists, it could enable the attacker to delete files, access sensitive information, or execute code, depending on the nature of the chain.

Impact

Exploitation of this vulnerability could lead to unauthorized PHP Object Injection, allowing for potential exploitation if a PHP Object Injection chain is available through other installed plugins or themes.

Reproduction

To reproduce this vulnerability, an authenticated user with Administrator privileges can upload a CSV file containing course data through the 'import_all_courses' function. The uploaded file must be in the correct format and include the necessary course information. Once the file is uploaded, the deserialization of the untrusted input occurs, allowing for the injection of a PHP object.

Remediation

Users are advised to update the Academy LMS WordPress plugin to version 3.3.9 or later.