CVE-2025-12098 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the Academy LMS Pro plugin for WordPress, a popular eLearning solution. The flaw exists in all versions up to and including 3.3.8 within the 'enqueue_social_login_script' function. This function improperly exposes sensitive data, specifically the Facebook App Secret, when Facebook Social Login is enabled. The vulnerability allows unauthenticated attackers to retrieve this secret without any user interaction or privileges, as the affected script is accessible publicly. The Facebook App Secret is a critical credential used to authenticate the LMS plugin with Facebook's API, and its exposure can lead to unauthorized API access, impersonation, or further exploitation of the Facebook integration. The CVSS 3.1 base score is 5.3, reflecting a medium severity due to the confidentiality impact and ease of exploitation (network vector, no privileges, no user interaction). No integrity or availability impacts are noted. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability underscores a common security oversight in web plugins where sensitive configuration data is exposed through publicly accessible scripts. Organizations relying on Academy LMS Pro with Facebook Social Login enabled are at risk of credential leakage, which could compromise their Facebook integration and potentially lead to broader security issues if attackers leverage the stolen secrets.

The primary impact of CVE-2025-12098 is the unauthorized disclosure of the Facebook App Secret used by the Academy LMS Pro plugin. This exposure compromises the confidentiality of sensitive credentials, which could allow attackers to impersonate the affected LMS application to Facebook's services, potentially enabling unauthorized API calls, data harvesting, or manipulation of social login flows. While the vulnerability does not directly affect system integrity or availability, the leaked credentials could be used as a stepping stone for more sophisticated attacks, including phishing campaigns or lateral movement within an organization's infrastructure if combined with other vulnerabilities. Organizations worldwide using this plugin with Facebook Social Login enabled risk reputational damage, loss of user trust, and potential compliance violations related to data protection regulations. The ease of exploitation (no authentication or user interaction required) increases the likelihood of opportunistic attacks, especially on publicly accessible LMS websites. However, the absence of known exploits in the wild suggests that the threat is currently moderate but could escalate if weaponized. The impact is more significant for organizations heavily reliant on Facebook integration for user authentication and those with sensitive user data managed via the LMS.

To mitigate CVE-2025-12098, organizations should immediately assess whether Facebook Social Login is enabled in their Academy LMS Pro installations. If enabled, temporarily disable this feature until a security patch or update addressing the vulnerability is released by the vendor. Restrict access to the 'enqueue_social_login_script' and related plugin scripts by implementing web server rules or application-level access controls to prevent unauthenticated retrieval of sensitive data. Review and rotate Facebook App Secrets to invalidate any potentially compromised credentials. Monitor web server logs for unusual access patterns targeting the vulnerable script. Engage with the plugin vendor or community to obtain updates or patches promptly once available. Additionally, conduct a security audit of other third-party plugins and integrations to ensure no similar exposure of sensitive information exists. Employ web application firewalls (WAFs) to detect and block suspicious requests targeting the plugin endpoints. Finally, educate development and operations teams about secure handling of API credentials and the risks of exposing them in publicly accessible code or scripts.