PatchSiren cyber security CVE debrief
CVE-2026-9341 kodezen CVE debrief
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference. Authenticated attackers with Subscriber-level access can read, overwrite, or delete private lesson notes and falsify lesson-completion progress. This vulnerability affects users with Subscriber-level access and above. The CVSS score is 4.3, indicating a Medium severity.
- Vendor
- kodezen
- Product
- Academy LMS
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-14
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-07-14
- Advisory updated
- 2026-07-14
Who should care
Users of the Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress, especially those with Subscriber-level access and above, should be aware of this vulnerability and take necessary actions to protect their sites. This includes updating the plugin, restricting access to sensitive AJAX handlers, and monitoring user activity.
Technical summary
The plugin is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.0 via the 'save_lesson_note', 'get_lesson_note', and 'complete_lesson_video' AJAX handlers due to missing validation on a user controlled key. This allows authenticated attackers to read, overwrite, or delete the private lesson notes of any other user (including administrators), and to falsify lesson-completion progress for arbitrary users. The vulnerability has a CVSS score of 4.3.
Defensive priority
Medium priority due to the CVSS score of 4.3 and the potential impact on user data and lesson completion progress.
Recommended defensive actions
- Update the plugin to a version that fixes the vulnerability.
- Restrict access to sensitive AJAX handlers.
- Monitor user activity and lesson completion progress.
- Implement additional security measures to prevent similar vulnerabilities.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record was published on 2026-07-14T12:17:14.793Z and has not been modified since then. The NVD entry is currently in the 'Received' status. The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference. Authenticated attackers with Subscriber-level access can read, overwrite, or delete private lesson notes and falsify lesson-completion progress. Evidence is limited to CVE and NVD entries.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T12:17:14.793Z and has not been modified since then. The NVD entry is currently in the 'Received' status.