Introduction
Attackers can gain full administrative access to WordPress sites running Academy LMS by exploiting a flaw in the Social Login addon. This vulnerability affects a large number of eLearning platforms and course providers who rely on Academy LMS for user management and course delivery.
About Academy LMS: Academy LMS is a major WordPress plugin for Learning Management Systems, developed by Creativeitem. It is used by thousands of educational institutions and online course creators for building, managing, and monetizing eLearning content. The plugin supports integrations with WooCommerce, payment gateways, and various add-ons, making it a significant player in the WordPress LMS ecosystem.
Technical Information
CVE-2025-11086 is a privilege escalation vulnerability in the Academy LMS WordPress plugin, specifically affecting the Social Login addon. The technical flaw is due to improper validation of user roles during the registration process when users sign up via social authentication (Facebook or Google).
Vulnerability mechanism:
- When a new user registers using the Social Login addon, the plugin processes user profile data returned from the social provider.
- In all versions up to and including 3.3.7, the plugin does not enforce strict role assignment and fails to sanitize or validate user-supplied parameters that dictate the assigned role.
- An attacker can manipulate the registration request (for example, by intercepting and modifying HTTP parameters) to specify a privileged role such as 'Administrator'.
- The plugin then creates the new user account with administrative privileges, granting full access to the WordPress site.
Root cause:
- Insufficient validation of user role assignment during social login registration (CWE-269: Improper Privilege Management).
- The vulnerable code path is triggered during the processing of OAuth callbacks from Facebook or Google, where user profile data is mapped to WordPress user accounts.
- No evidence of code snippets is publicly available, but the flaw is confirmed in the plugin's handling of registration data.
Exploit characteristics:
- No prior authentication is required; the attack can be performed by any unauthenticated user.
- The attack complexity is low, requiring only manipulation of the registration process.
- The vulnerability is present only when the Social Login addon is enabled and configured.
Affected Systems and Versions
- Product: Academy LMS – WordPress LMS Plugin for Complete eLearning Solution
- Affected versions: All versions up to and including 3.3.7
- Vulnerable configuration: Sites with the Social Login addon enabled (Facebook or Google social authentication)
Vendor Security History
Creativeitem, the developer of Academy LMS, has a documented history of privilege escalation vulnerabilities:
- CVE-2024-1505: Privilege escalation via improper user meta updates (patched in version 1.9.20)
- CVE-2025-56747: Privilege escalation in API instructor controller (affecting versions up to 5.13)
The vendor has demonstrated prompt patch response times (e.g., four days for CVE-2024-1505), but the recurrence of similar issues suggests ongoing challenges with access control validation and privilege management in the codebase.