{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12098", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-22T21:50:49.869Z", "datePublished": "2025-11-08T08:27:42.051Z", "dateUpdated": "2026-04-08T17:33:42.147Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:42.147Z"}, "affected": [{"vendor": "academylms", "product": "Academy LMS Pro", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.3.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Academy LMS \u2013 WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.8 via the 'enqueue_social_login_script' function. This makes it possible for unauthenticated attackers to extract sensitive data including the Facebook App Secret if Facebook Social Login is enabled."}], "title": "Academy LMS Pro <= 3.3.8 - Unauthenticated Sensitive Information Exposure via 'enqueue_social_login_script'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f70ee339-d9d4-43ad-8605-6a5533783718?source=cve"}, {"url": "https://academylms.net/whats-new/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "cweId": "CWE-200", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michelle Porter"}], "timeline": [{"time": "2025-10-22T22:24:09.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-07T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-10T14:10:07.810473Z", "id": "CVE-2025-12098", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-10T14:14:14.118Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12098", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-10T14:10:07.810473Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-10T14:10:08.532Z"}}], "cna": {"title": "Academy LMS Pro <= 3.3.8 - Unauthenticated Sensitive Information Exposure via 'enqueue_social_login_script'", "credits": [{"lang": "en", "type": "finder", "value": "Michelle Porter"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "academylms", "product": "Academy LMS Pro", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.3.8"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-22T22:24:09.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-07T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f70ee339-d9d4-43ad-8605-6a5533783718?source=cve"}, {"url": "https://academylms.net/whats-new/"}], "descriptions": [{"lang": "en", "value": "The Academy LMS \u2013 WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.8 via the 'enqueue_social_login_script' function. This makes it possible for unauthenticated attackers to extract sensitive data including the Facebook App Secret if Facebook Social Login is enabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:42.147Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12098", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:33:42.147Z", "dateReserved": "2025-10-22T21:50:49.869Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-08T08:27:42.051Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Academy LMS \u2013 WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.8 via the 'enqueue_social_login_script' function. This makes it possible for unauthenticated attackers to extract sensitive data including the Facebook App Secret if Facebook Social Login is enabled."}], "id": "CVE-2025-12098", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-08T09:15:33.767", "references": [{"source": "security@wordfence.com", "url": "https://academylms.net/whats-new/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f70ee339-d9d4-43ad-8605-6a5533783718?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:34:23.291728+00:00", "value": {"mitigation_remediation": ["Upgrade Academy LMS Pro to the latest version (\u2265\u00a03.3.9) to remove the vulnerability.", "If immediate upgrading is not possible, disable Facebook Social Login in the plugin settings to prevent the script from exposing the secret.", "As a temporary workaround, add a custom snippet that deregisters or filters the 'enqueue_social_login_script' action so the App Secret is not rendered on unauthenticated pages."], "summary": {"action": "Patch", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "All installations of Academy LMS Pro up to and including version 3.3.8 are affected. The plugin is distributed by the vendor academylms:Academy LMS Pro and is used by WordPress sites implementing an eLearning solution that may enable Facebook social login.", "description_and_impact": "Academy LMS \u2013 WordPress LMS Plugin for Complete eLearning Solution is vulnerable due to the 'enqueue_social_login_script' function, which allows unauthenticated attackers to read sensitive data when Facebook Social Login is enabled. The exposed data includes the Facebook App Secret, a credential that could be leveraged for unauthorized access to the social media integration or to impersonate the site on Facebook. The vulnerability does not require authentication but does rely on the social login script being loaded by a visitor of the site.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity vulnerability, and the EPSS score of less than 1% suggests a low likelihood that this flaw will be actively exploited in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is likely a direct web request to a page that triggers the enqueue_social_login_script function, enabling any visitor to read the exposed App Secret if the social login feature is enabled."}}}}, "created": "2025-11-10T09:33:26.978416+00:00", "updated": "2026-04-21T18:45:06.075186+00:00", "vendors": ["academylms", "academylms$PRODUCT$academy_lms_pro", "wordpress", "wordpress$PRODUCT$wordpress"]}