How is CVE-2026-39598 exploited?

Network reachability (required): The attacker must reach the WordPress application over the network; the plugin's upload endpoint is exposed via standard HTTP, making this exploitable remotely. Authentication (required): A high-privilege WordPress account (such as an administrator) is required, meaning the attacker must already control or compromise such an account before uploading a web shell. Victim interaction (not-required): No victim interaction is needed; the attacker can upload the malicious file entirely through their own authenticated requests without involving any other user. Attack complexity (info): Attack complexity is rated High, meaning exploitation depends on environmental factors or specific conditions beyond the attacker's full control, such as particular server configurations or upload permission states.

What is the impact of CVE-2026-39598?

Reads any file accessible to the web server process, including WordPress configuration files containing database credentials and secret keys. Modifies or deletes arbitrary files on the server, including WordPress core files, plugin code, and theme assets. Executes arbitrary operating system commands through the uploaded web shell, giving the attacker a persistent foothold on the host. Disrupts availability of the web server and any co-located services by terminating processes, consuming resources, or corrupting critical files.

Back to search

HIGHCVE-2026-39598Published 2026-06-16Modified 2026-06-16CNA Patchstack

CVE-2026-39598: WordPress Academy LMS Pro plugin < 3.5.2 - Arbitrary File Upload vulnerability

Q: What is CVE-2026-39598?

An arbitrary file upload vulnerability in the Academy LMS Pro WordPress plugin (versions before 3.5.2) allows a remote attacker to upload a web shell to the server. Exploitation requires a network connection and a high-privilege account, but no victim interaction, and the scope extends beyond the WordPress application itself. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected server. A patched-image rebuild at version 3.5.2 is available on HarborGuard for environments running an affected version of this plugin.

Q: How is CVE-2026-39598 fixed?

A patched-image rebuild at Academy LMS Pro version 3.5.2 becomes available through HarborGuard the moment the fixed upstream package is resolvable in the image dependency graph. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Unrestricted Upload of File with Dangerous Type vulnerability in Kodezen LLC Academy LMS Pro allows Upload a Web Shell to a Web Server. This issue affects Academy LMS Pro: from n/a before 3.5.2.

CVSS v3.1: 8.0
Severity: HIGH
Fixed in: 3.5.2
Affected Products: 1

HarborGuard Analysis

Synopsis

An arbitrary file upload vulnerability in the Academy LMS Pro WordPress plugin (versions before 3.5.2) allows a remote attacker to upload a web shell to the server. Exploitation requires a network connection and a high-privilege account, but no victim interaction, and the scope extends beyond the WordPress application itself. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected server. A patched-image rebuild at version 3.5.2 is available on HarborGuard for environments running an affected version of this plugin.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including the Patchstack advisory, within minutes of publication and matched against customer images and pipeline builds, including custom-built WordPress images that bundle Academy LMS Pro. Coverage applies whether the plugin is installed as a layer dependency or baked directly into a container image.

Available

Triage

HarborGuard scores this finding at CVSS 8.0 (HIGH) and applies per-environment compliance policy weighting to determine priority and routing. Alerts are directed to the appropriate team inbox within each customer organization based on configured ownership and severity thresholds.

Available

Patch

A patched-image rebuild at Academy LMS Pro version 3.5.2 becomes available through HarborGuard the moment the fixed upstream package is resolvable in the image dependency graph. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress application over the network; the plugin's upload endpoint is exposed via standard HTTP, making this exploitable remotely.
AuthenticationRequired
A high-privilege WordPress account (such as an administrator) is required, meaning the attacker must already control or compromise such an account before uploading a web shell.
Victim interactionNot required
No victim interaction is needed; the attacker can upload the malicious file entirely through their own authenticated requests without involving any other user.
Attack complexityDetail
Attack complexity is rated High, meaning exploitation depends on environmental factors or specific conditions beyond the attacker's full control, such as particular server configurations or upload permission states.

Blast Radius

Reads any file accessible to the web server process, including WordPress configuration files containing database credentials and secret keys.
Modifies or deletes arbitrary files on the server, including WordPress core files, plugin code, and theme assets.
Executes arbitrary operating system commands through the uploaded web shell, giving the attacker a persistent foothold on the host.
Disrupts availability of the web server and any co-located services by terminating processes, consuming resources, or corrupting critical files.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-39598 is active across all environments that scan images containing Academy LMS Pro below version 3.5.2. Because this is a HIGH-severity finding with a confirmed fix, HarborGuard queues a patched-image rebuild at version 3.5.2 as soon as the dependency is resolvable. For customers with auto-remediation enabled, the typical flow is a rebuild, a regression-test run, and a pull request opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval, the rebuilt image is staged and a triage alert is routed to the configured owner for review and promotion. Until the patched image is deployed, network-policy controls that restrict unauthenticated and low-trust access to WordPress admin upload endpoints serve as a compensating control worth evaluating.

See how HarborGuard automates this

Fix available

3.5.2

Affected packages

Kodezen LLC / Academy LMS Pro
< 3.5.2 (from n/a)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available