CVE-2025-11086HIGH 8.1EPSS p28.4%

CVE-2025-11086CVE-2025-11086

Description

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.7. This is due to the plugin not properly validating a user's role prior to registering a user via the Social Login addon. This makes it possible for unauthenticated attackers to update their role to Administrator when registering on the site.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.37% probability of exploitation · percentile 28.4% · 2026-06-19T12:03:05Z
Published2025-10-22
Last modified2026-04-15

Underlying weaknesses· 1

CWE-269

References

  1. https://academylms.net/
  2. https://academylms.net/whats-new/
  3. https://www.wordfence.com/threat-intel/vulnerabilities/id/0f42f0be-5386-448b-9e65-5d2584cc2175?source=cve

1

TypeTargetConfidenceTier
WeaknessImproper Privilege Managementcwe-2690%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-15521
CVE
CVE-2025-1671
CVE
CVE-2025-13618
CVE
CVE-2025-13542
CVE
CVE-2025-13563
CVE
CVE-2025-11923
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.