CVE-2022-2034

The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
WPScanCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
VendorProductVersion
automatticsensei_lms
𝑥
< 4.5.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://hackerone.com/reports/1590237
https://wpscan.com/vulnerability/aba3dd58-7a8e-4129-add5-4dd5972c0426
https://hackerone.com/reports/1590237
https://wpscan.com/vulnerability/aba3dd58-7a8e-4129-add5-4dd5972c0426