CVE-2022-2034

EUVD-2022-34338
The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 96%
Affected Products (NVD)
VendorProductVersion
automatticsensei_lms
𝑥
< 4.5.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://hackerone.com/reports/1590237
https://wpscan.com/vulnerability/aba3dd58-7a8e-4129-add5-4dd5972c0426
https://hackerone.com/reports/1590237
https://wpscan.com/vulnerability/aba3dd58-7a8e-4129-add5-4dd5972c0426