CVE-2025-12098 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the Academy LMS Pro plugin for WordPress, specifically versions up to and including 3.3.8. The vulnerability arises from the 'enqueue_social_login_script' function, which improperly exposes sensitive data, notably the Facebook App Secret, when Facebook Social Login is enabled. This exposure occurs without requiring any authentication or user interaction, making it remotely exploitable by unauthenticated attackers. The Facebook App Secret is a critical credential that, if compromised, can allow attackers to impersonate the legitimate Facebook application, potentially enabling unauthorized access to user accounts or manipulation of social login flows. The vulnerability has a CVSS 3.1 base score of 5.3, indicating a medium severity level, with the vector indicating network attack vector, low attack complexity, no privileges required, no user interaction, and limited confidentiality impact. No patches or updates have been officially released at the time of this report, and no known exploits are currently observed in the wild. The vulnerability primarily threatens the confidentiality of sensitive credentials, which could be leveraged in subsequent attacks targeting user accounts or the LMS platform itself. Given the widespread use of WordPress and LMS plugins in educational and corporate training environments, this vulnerability poses a tangible risk to organizations relying on Academy LMS Pro for their eLearning solutions.

For European organizations, the exposure of the Facebook App Secret through this vulnerability could lead to significant confidentiality breaches. Attackers gaining access to this secret could impersonate the Facebook application, potentially allowing unauthorized access to user accounts via social login mechanisms. This could result in unauthorized data access, user impersonation, and erosion of trust in the affected eLearning platforms. Educational institutions, corporate training providers, and other organizations using Academy LMS Pro in Europe could face reputational damage, compliance issues under GDPR due to unauthorized data exposure, and operational disruptions if attackers leverage the exposed credentials for further attacks. The impact is particularly critical for organizations that heavily rely on Facebook Social Login for user authentication, as the compromised secret undermines the security of the login process. Although no direct availability or integrity impacts are reported, the confidentiality breach alone warrants prompt attention to prevent escalation.

European organizations should immediately audit their use of the Academy LMS Pro plugin and verify if Facebook Social Login is enabled. If enabled, it is advisable to disable this feature temporarily until an official patch or update is released by the vendor. In the absence of a patch, organizations can implement custom code modifications to restrict access to the 'enqueue_social_login_script' function or sanitize outputs to prevent exposure of the Facebook App Secret. Additionally, organizations should rotate the Facebook App Secret associated with their applications to invalidate any potentially compromised credentials. Monitoring web server logs for unusual access patterns targeting the vulnerable function can help detect exploitation attempts. Organizations should also ensure that their WordPress installations and plugins are regularly updated and consider implementing a Web Application Firewall (WAF) with rules to block suspicious requests targeting this vulnerability. Finally, educating administrators about the risks of exposing sensitive credentials in plugin code and enforcing strict access controls on WordPress admin interfaces will reduce the attack surface.