CVE-2025-12098 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the Academy LMS Pro WordPress plugin, a widely used eLearning solution. The flaw exists in the 'enqueue_social_login_script' function, which improperly exposes sensitive configuration data, including the Facebook App Secret, when Facebook Social Login is enabled. This exposure occurs without requiring any authentication or user interaction, making it accessible to any remote attacker. The Facebook App Secret is a critical credential that, if compromised, can allow attackers to impersonate the legitimate application, potentially enabling unauthorized access to user accounts or manipulation of authentication flows. The vulnerability affects all plugin versions up to and including 3.3.8. Despite the absence of known exploits in the wild, the risk remains significant due to the nature of the leaked information. The CVSS v3.1 base score is 5.3, indicating a medium severity level with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact is limited to confidentiality loss, with no direct effects on integrity or availability. The vulnerability was publicly disclosed on November 8, 2025, and no official patches or updates have been linked yet, emphasizing the need for immediate attention by users of the plugin.

For European organizations, especially those relying on Academy LMS Pro for eLearning and training, this vulnerability poses a risk of sensitive credential leakage that could lead to unauthorized access to Facebook-integrated authentication mechanisms. The exposure of the Facebook App Secret can enable attackers to impersonate the LMS application in Facebook's OAuth flows, potentially compromising user accounts or enabling phishing attacks. This can undermine trust in the eLearning platform, lead to data breaches involving user personal information, and disrupt training operations. Since the vulnerability does not affect system integrity or availability directly, the primary concern is confidentiality loss and the downstream effects of compromised authentication credentials. Organizations in sectors such as education, corporate training, and government digital learning initiatives are particularly at risk. The lack of authentication or user interaction required for exploitation increases the likelihood of automated scanning and exploitation attempts once the vulnerability becomes widely known. The absence of patches at the time of disclosure further elevates the risk until mitigations are applied.

European organizations using Academy LMS Pro should immediately assess whether Facebook Social Login is enabled in their installations. If enabled, disabling this feature temporarily can prevent exposure of the Facebook App Secret. Administrators should monitor plugin updates closely and apply any forthcoming patches promptly once released by the vendor. In the absence of official patches, organizations can consider code-level mitigations such as restricting access to the 'enqueue_social_login_script' function or sanitizing outputs to prevent leakage of sensitive data. Additionally, reviewing and rotating Facebook App Secrets and associated credentials is recommended to invalidate any potentially compromised secrets. Implementing web application firewalls (WAFs) with rules to detect and block attempts to access the vulnerable script can provide interim protection. Regular security audits and monitoring for unusual OAuth activity related to Facebook integrations should be conducted. Finally, educating LMS administrators about the risks and encouraging minimal use of third-party social login integrations can reduce attack surface.