Academy LMS (WordPress) unauthenticated password change leading to account takeover

This repository contains a single operational Python exploit, CVE-2025-15521.py, plus a README and license. The exploit targets CVE-2025-15521 in the Academy LMS WordPress plugin up to version 3.5.0. Its purpose is unauthenticated account takeover via an insecure password reset flow that accepts a publicly exposed academy_nonce from course pages and a chosen user_id, allowing password reset without email verification or ownership checks. Repository structure is minimal: one Python script implements the exploit logic, README.md documents the vulnerability, workflow, and usage, and LICENSE contains restrictive redistribution terms. The Python script is interactive and prompts for a targets file, thread count, reset handler path, course path, maximum pages to scan, target user_id, new password, timeout, and output file. Core exploit capability: for each target site, it normalizes the WordPress base URL (including subdirectory installs), scans course-related pages to extract a valid reset nonce, submits a password reset request to the vulnerable handler for a chosen user_id, enumerates candidate usernames using WordPress author redirects and the REST API, then attempts login using the attacker-chosen password. It performs strict success validation by rejecting known login failures, requiring a wordpress_logged_in cookie, and confirming actual wp-admin access using admin UI markers rather than relying on HTTP status alone. Successful compromises are appended to an output file. The exploit is not just a detector; it actively changes account passwords and verifies administrative access. It is best classified as OPERATIONAL rather than a simple PoC because it includes a working exploitation chain and post-exploitation verification, though it is not part of a larger exploitation framework.