CVE-2025-56747 identifies a privilege escalation vulnerability in the Creativeitem Academy Learning Management System (LMS) up to and including version 5.13. The vulnerability resides in the Api_instructor controller, which is responsible for handling instructor-specific functions such as course creation and management. Due to insufficient role validation, regular authenticated users—who do not possess instructor privileges—can invoke these instructor-only API endpoints. This bypass allows unauthorized users to create, modify, or manage courses without proper authorization, effectively elevating their privileges within the LMS environment. The flaw arises from a failure to enforce role-based access control (RBAC) checks on critical API functions, a fundamental security oversight. Although no public exploits have been reported, the vulnerability presents a significant risk because any authenticated user can exploit it without needing additional credentials or complex attack vectors. The impact includes unauthorized course manipulation, potential disruption of educational workflows, and possible data integrity and confidentiality concerns if course content or user data is altered maliciously. The vulnerability was reserved in August 2025 and published in October 2025, but no CVSS score or patches have been released yet. This suggests that organizations using Creativeitem Academy LMS should proactively assess and mitigate this risk.

For European organizations, particularly educational institutions, training providers, and enterprises relying on Creativeitem Academy LMS, this vulnerability poses a substantial risk. Unauthorized course creation and management can lead to misinformation, disruption of learning processes, and potential reputational damage. Attackers could manipulate course content, enroll unauthorized users, or remove legitimate courses, impacting availability and integrity of educational services. Confidentiality risks arise if unauthorized users gain access to sensitive course materials or student data through escalated privileges. The disruption could extend to compliance issues, especially under GDPR, if personal data is mishandled or exposed. Given the widespread adoption of e-learning platforms in Europe, the threat could affect a broad range of organizations, from universities to corporate training departments. The absence of known exploits suggests a window for preemptive mitigation, but the ease of exploitation by any authenticated user heightens urgency. The impact is amplified in environments with weak authentication or insufficient monitoring of user activities.

Organizations should immediately audit user roles and permissions within Creativeitem Academy LMS to identify and restrict unauthorized access. Until an official patch is released, implement compensating controls such as enhanced monitoring and logging of API calls related to instructor functions to detect anomalous activities. Enforce strict authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of compromised user accounts being exploited. Consider network segmentation or firewall rules to limit access to the LMS API endpoints only to trusted users or IP ranges. Conduct regular reviews of course creation and modification logs to identify unauthorized changes promptly. Engage with the vendor to obtain timelines for patches or updates addressing this vulnerability. Additionally, educate LMS administrators and users about the risk and encourage prompt reporting of suspicious behavior. Where feasible, temporarily disable or restrict instructor API functions for non-instructor roles through configuration or custom access controls.