A critical vulnerability has been identified in The Academy LMS WordPress plugin, allowing unauthenticated attackers to take over any user account, including those with administrative privileges. This flaw stems from an insecure password update mechanism that can be easily exploited to gain complete control of an affected website. Immediate patching is required to prevent potential data breaches, website defacement, and further system compromise.

The vulnerability is a privilege escalation flaw that allows for a full account takeover. The plugin's password update function fails to properly authenticate the user making the change request. It incorrectly relies on a nonce (a security token) for authorization, but this nonce is publicly accessible. An unauthenticated attacker can obtain a valid nonce and then craft a request to change the password of any user on the site, needing only to know the target's username. This allows the attacker to set a new password, log in as that user, and, if the user is an administrator, gain complete control over the WordPress site.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation would have a severe and direct impact on the business. An attacker gaining administrative access can steal sensitive user data (including student information and PII), deface the website, install malicious backdoors, distribute malware to visitors, or completely destroy the site's content. For an eLearning platform, this could lead to a catastrophic loss of customer trust, significant financial costs for incident response and recovery, regulatory fines for data breaches, and severe reputational damage.

Immediate Action: Immediately update The Academy LMS plugin to the latest patched version provided by the vendor. After applying the update, thoroughly review administrative user accounts for any unauthorized changes or additions. Review access logs for any suspicious password reset activities or logins from unrecognized IP addresses that may have occurred prior to patching.

Proactive Monitoring: Monitor web server access logs for unusual POST requests to the plugin's password update endpoints. Configure security information and event management (SIEM) alerts for multiple failed login attempts followed by a successful login from an unusual location. Monitor for the creation of new administrative users or unexpected privilege changes to existing accounts.

Compensating Controls: If patching is not immediately possible, implement a Web Application Firewall (WAF) with a virtual patching rule to block malicious requests targeting the vulnerable password change function. Restrict access to the WordPress login and admin areas (/wp-login.php and /wp-admin/) to trusted IP addresses. Enforce mandatory two-factor authentication (2FA) for all users, especially administrators, to add a layer of protection against account takeover.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the low complexity required for exploitation, this vulnerability poses an immediate and severe threat to any organization using the affected plugin. We strongly recommend applying the vendor-supplied patch to all affected systems with the highest priority. Although this CVE is not currently listed on the CISA KEV list, its potential for complete system compromise warrants treatment as an emergency-level threat. After patching, conduct a thorough security audit to identify and remediate any signs of a pre-existing compromise.