Insecure Direct Object Reference in Academy LMS Plugin for WordPress
CVE-2026-5348
5.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 2 July 2026
What is CVE-2026-5348?
The Academy LMS plugin for WordPress is susceptible to an Insecure Direct Object Reference, allowing unauthorized users to access sensitive course curriculum data. This vulnerability arises from the '/topics' REST API endpoint, which lacks adequate permission callbacks, thereby permitting unauthenticated access to course details. As a result, attackers can enumerate course IDs to gain insights into private, draft, scheduled, or password-protected courses without any verification of user enrollment or the course's post status, potentially exposing sensitive educational content.
Affected Version(s)
Academy LMS β WordPress LMS Plugin for Complete eLearning Solution 0 <= 3.8.1