Academy LMS WordPress Plugin Privilege Escalation Vulnerability

A privilege escalation vulnerability allowing account takeover has been identified in the Academy LMS WordPress plugin, specifically in versions through 3.5.0. The issue arises because the plugin fails to properly verify a user's identity before allowing password changes, relying instead on a publicly accessible nonce for authorization. This flaw enables unauthenticated attackers to reset passwords for any user, including administrators, and gain unauthorized access to their accounts.

Impact

Exploitation of this vulnerability allows for unauthorized password changes, enabling attackers to gain access to user accounts, including those of administrators.

Reproduction

To reproduce this vulnerability, an unauthenticated user can send a password reset request to the WordPress site. The request must include the security nonce, which is publicly accessible. The absence of proper identity verification allows the attacker to change the password of any user, effectively taking over their account.

Remediation

Users are advised to update the Academy LMS WordPress plugin to version 3.5.1 or later, where this vulnerability has been patched.