Creativeitem Academy LMS up to and including 5.13 contains a privilege escalation vulnerability in the Api_instructor controller where regular authenticated users can access instructor-only functions without proper role validation, allowing unauthorized course creation and management.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.