PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9341 kodezen CVE debrief

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference. Authenticated attackers with Subscriber-level access can read, overwrite, or delete private lesson notes and falsify lesson-completion progress. This vulnerability affects users with Subscriber-level access and above. The CVSS score is 4.3, indicating a Medium severity.

Vendor
kodezen
Product
Academy LMS
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-14
Original CVE updated
2026-07-14
Advisory published
2026-07-14
Advisory updated
2026-07-14

Who should care

Users of the Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress, especially those with Subscriber-level access and above, should be aware of this vulnerability and take necessary actions to protect their sites. This includes updating the plugin, restricting access to sensitive AJAX handlers, and monitoring user activity.

Technical summary

The plugin is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.0 via the 'save_lesson_note', 'get_lesson_note', and 'complete_lesson_video' AJAX handlers due to missing validation on a user controlled key. This allows authenticated attackers to read, overwrite, or delete the private lesson notes of any other user (including administrators), and to falsify lesson-completion progress for arbitrary users. The vulnerability has a CVSS score of 4.3.

Defensive priority

Medium priority due to the CVSS score of 4.3 and the potential impact on user data and lesson completion progress.

Recommended defensive actions

  • Update the plugin to a version that fixes the vulnerability.
  • Restrict access to sensitive AJAX handlers.
  • Monitor user activity and lesson completion progress.
  • Implement additional security measures to prevent similar vulnerabilities.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.

Evidence notes

The CVE record was published on 2026-07-14T12:17:14.793Z and has not been modified since then. The NVD entry is currently in the 'Received' status. The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference. Authenticated attackers with Subscriber-level access can read, overwrite, or delete private lesson notes and falsify lesson-completion progress. Evidence is limited to CVE and NVD entries.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-14T12:17:14.793Z and has not been modified since then. The NVD entry is currently in the 'Received' status.