Academy LMS <= 1.9.16 - Missing Authorization

Wordfence Intelligence   >   Vulnerability Database   >   Academy LMS <= 1.9.16 - Missing Authorization
5.4
Missing Authorization
CVE CVE-2024-32714
CVSS 5.4 (Medium)
Publicly Published April 22, 2024
Last Updated April 29, 2024
Researcher Mochamad Sofyan

Description

The Academy LMS plugin for WordPress is vulnerable to unauthorized access due to insufficient validation on the enroll_course() function in versions up to, and including, 1.9.16. This makes it possible for authenticated attackers, with subscriber-level access and above, to enroll in paid courses for free.

References

Share

Vulnerability Details for Academy LMS – WordPress LMS Plugin for Complete eLearning Solution

Academy LMS – WordPress LMS Plugin for Complete eLearning Solution

Software Type Plugin
Software Slug academy (view on wordpress.org)
Patched? Yes
Remediation Update to version 1.9.17, or a newer patched version
Affected Version
  • <= 1.9.16
Patched Version
  • 1.9.17

Recent vulnerabilities in Academy LMS – WordPress LMS Plugin for Complete eLearning Solution

Academy LMS <= 3.5.3 - Missing Authorization
4.3
CVE-2026-25372
Feb 17, 2026
Researcher: Jakub Herman
Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.5.0 - Unauthenticated Privilege Escalation via Account Takeover
9.8
CVE-2025-15521
Jan 20, 2026
Researcher: vgo0
Academy LMS <= 3.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
6.4
CVE-2025-68527
Dec 30, 2025
Researcher: Muhammad Yudha - DJ
Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.3.8 - Authenticated (Administrator+) PHP Object Injection via 'import_all_courses'
7.2
CVE-2025-12099
Nov 7, 2025
Researcher: Michelle Porter
Academy LMS <= 3.3.4 - Authenticated (Academy Instructor+) Insecure Direct Object Reference
4.3
CVE-2025-59562
Sep 22, 2025
Researcher: n0_arafat_n0
Academy LMS <= 2.0.4 - Missing Authorization
2.7
CVE-2024-38701
Jul 11, 2024
Researcher: filime
Academy LMS <= 2.0.10 - Open Redirect
8.3
CVE-2024-37234
Jun 21, 2024
Researcher: Mochamad Sofyan
Academy LMS <= 1.9.25 - Unauthenticated Sensitive Information Exposure
5.3
CVE-2024-35171
May 10, 2024
Researcher: Peng Zhou
Academy LMS <= 1.9.16 - Missing Authorization
4.3
CVE-2024-33912
Apr 29, 2024
Researcher: Steven Julian
Academy LMS – eLearning and online course solution for WordPress <= 1.9.19 - Authenticated (Subscriber+) Privilege Escalation
8.8
CVE-2024-1505
Feb 21, 2024
Researcher: Lucio Sá
# Title CVE ID CVSS Researchers Date
1 Academy LMS <= 3.5.3 - Missing Authorization CVE-2026-25372 4.3 Jakub Herman February 17, 2026
2 Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.5.0 - Unauthenticated Privilege Escalation via Account Takeover CVE-2025-15521 9.8 vgo0 January 20, 2026
3 Academy LMS <= 3.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-68527 6.4 Muhammad Yudha - DJ December 30, 2025
4 Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.3.8 - Authenticated (Administrator+) PHP Object Injection via 'import_all_courses' CVE-2025-12099 7.2 Michelle Porter November 7, 2025
5 Academy LMS <= 3.3.4 - Authenticated (Academy Instructor+) Insecure Direct Object Reference CVE-2025-59562 4.3 n0_arafat_n0 September 22, 2025
6 Academy LMS <= 2.0.4 - Missing Authorization CVE-2024-38701 2.7 filime July 11, 2024
7 Academy LMS <= 2.0.10 - Open Redirect CVE-2024-37234 8.3 Mochamad Sofyan June 21, 2024
8 Academy LMS <= 1.9.25 - Unauthenticated Sensitive Information Exposure CVE-2024-35171 5.3 Peng Zhou May 10, 2024
9 Academy LMS <= 1.9.16 - Missing Authorization CVE-2024-33912 4.3 Steven Julian April 29, 2024
10 Academy LMS – eLearning and online course solution for WordPress <= 1.9.19 - Authenticated (Subscriber+) Privilege Escalation CVE-2024-1505 8.8 Lucio Sá February 21, 2024
View more vulnerabilities in this software package View more vulnerabilities

This record contains material that is subject to copyright.

Copyright 2012-2026 Defiant Inc.

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more.

Copyright 1999-2026 The MITRE Corporation

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation