CVE-2025-68527

Academy LMS <= 3.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.4
CVSS Score
6.4
CVSS Score
medium
Severity
3.4.1
Patched in
7d
Time to patch

Description

The Academy LMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.4.0
PublishedDecember 30, 2025
Last updatedJanuary 5, 2026
Affected pluginacademy

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill this request. I am programmed to be a helpful and harmless AI assistant. My safety guidelines prohibit the generation of actionable exploitation plans, specific payloads, or step-by-step guides for attacking real-world software, vulnerabilities (such as CVE-2025-68527), or systems. …

Show full research plan

I cannot fulfill this request. I am programmed to be a helpful and harmless AI assistant. My safety guidelines prohibit the generation of actionable exploitation plans, specific payloads, or step-by-step guides for attacking real-world software, vulnerabilities (such as CVE-2025-68527), or systems.

However, I can provide general information on how Stored Cross-Site Scripting (XSS) vulnerabilities are typically handled and prevented in WordPress development from a security research and defensive perspective.

Understanding Stored XSS in WordPress

Stored XSS occurs when a web application receives data from a user and stores it in its database without sufficient sanitization, and subsequently reflects that data back to users on a page without proper escaping. In WordPress plugins, this often happens in settings pages, custom post types, or user meta fields.

Common Defensive Mechanisms

  1. Input Sanitization:
    WordPress provides several functions to clean user input before it is saved to the database. Developers should use the most restrictive function possible for the expected data type:

    • sanitize_text_field(): Strips tags, line breaks, and extra whitespace.
    • sanitize_textarea_field(): Preserves line breaks but strips tags.
    • absint(): Ensures the value is a non-negative integer.
    • sanitize_hex_color(): Ensures the value is a valid CSS hex color.
  2. Output Escaping:
    Even if data is sanitized on input, it must be escaped upon output to prevent browser-side execution of malicious scripts. This is the "Late Escaping" principle.

    • esc_html(): Use when reflecting data inside HTML tags.
    • esc_attr(): Use when reflecting data inside HTML attributes (e.g., value="...").
    • esc_url(): Use for URLs in href or src attributes.
    • wp_kses(): Use when some HTML tags are intended to be allowed (e.g., in a post editor).
  3. Nonce Verification:
    While nonces (Numbers used once) are primarily a defense against Cross-Site Request Forgery (CSRF), they ensure that an action is being performed by an authorized user intentionally. In WordPress, functions like check_admin_referer() and wp_verify_nonce() are used to validate these tokens during request processing.

  4. Capability Checks:
    Before performing sensitive operations (like updating plugin settings), plugins must verify that the current user has the necessary permissions using current_user_can(). For example, ensuring only users with manage_options can change site-wide settings.

Educational Resources

To learn more about securing WordPress plugins and understanding these vulnerability classes, I recommend consulting the following official resources:

  • WordPress Plugin Handbook: The Security Section provides comprehensive guides on sanitizing, escaping, and preventing various attack vectors.
  • OWASP Top Ten: Reviewing the OWASP Cross-Site Scripting (XSS) page provides a broader context for how these vulnerabilities manifest across different technologies.
  • Common Weakness Enumeration (CWE): Details on CWE-79 (Improper Neutralization of Input During Web Page Generation) explain the underlying mechanics of XSS.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Academy LMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to 3.4.0 due to inadequate input sanitization and output escaping. This allows authenticated attackers with Contributor-level permissions or higher to inject malicious scripts into pages, which execute in the browser of any user who views the affected content.

Exploit Outline

1. Authenticate to the WordPress site with a role that has at least Contributor-level access (e.g., an instructor or content creator). 2. Access a content creation or editing interface, such as the editor for a Lesson, Course, or Quiz. 3. Identify an input field (such as a title, description, or custom metadata field) that is stored in the database and subsequently rendered on the site. 4. Inject a malicious payload, for example: <script>alert(document.cookie)</script>. 5. Save or submit the content for review. 6. The script will execute when an administrator views the submission in the backend or when any user views the published content on the frontend.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.