PHP Object Injection Vulnerability in Academy LMS WordPress Plugin
CVE-2025-12099

7.2HIGH

Key Information:

Vendor: WordPress
Status: Academy Lms – WordPress Lms Plugin For Complete Elearning Solution
Vendor: CVE Published:; 8 November 2025

What is CVE-2025-12099?

The Academy LMS plugin for WordPress, which serves as a comprehensive eLearning solution, contains a vulnerability that allows authenticated attackers with Administrator-level access to exploit a PHP Object Injection flaw. This vulnerability arises from the deserialization of untrusted input within the 'import_all_courses' function and affects all versions up to and including 3.3.8. While there is no inherent impact in the plugin itself, the risk heightens significantly if another plugin or theme with an established PHP Object Injection (POP) chain is present. Should such a chain exist, attackers could potentially delete arbitrary files, access sensitive data, or execute unauthorized code, depending on the installed components.

Affected Version(s)

Academy LMS – WordPress LMS Plugin for Complete eLearning Solution * <= 3.3.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/academy/trunk/...

https://plugins.trac.wordpress.org/changeset/3390420/

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 8, 2025
Vulnerability Reserved
Oct 22, 2025

Credit

Michelle Porter

JSON