CVE-2022-2034

MEDIUM NUCLEI

Automattic Sensei Lms < 4.5.0 - IDOR

Title source: rule

Description

The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers

Nuclei Templates (1)

WordPress Sensei LMS <4.5.0 - Information Disclosure
MEDIUMVERIFIEDby imhunterand

References (2)

Scores

CVSS v3 5.3
EPSS 0.3375
EPSS Percentile 97.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-639
Status published
Products (1)
automattic/sensei_lms < 4.5.0
Published Aug 29, 2022
Tracked Since Feb 18, 2026