CVE-2025-12099

Name of the Vulnerable Software and Affected Versions Academy LMS – WordPress LMS Plugin for Complete eLearning Solution versions prior to 3.3.9

Description The software is susceptible to a PHP Object Injection due to deserialization of untrusted input within the import all courses function. This allows authenticated attackers with Administrator-level access or higher to inject a PHP Object. The impact of this issue is limited unless another plugin or theme containing a PHP Object Payload (POP) chain is installed, which could allow actions such as arbitrary file deletion, sensitive data retrieval, or code execution.

Recommendations Versions prior to 3.3.9 should be updated.