CVE-2022-2034

MEDIUM NUCLEI

Sensei LMS < 4.5.0 - Unauthenticated Private Message Access via REST Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2022-2034 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers

Nuclei Templates (1)

WordPress Sensei LMS <4.5.0 - Information Disclosure
MEDIUMVERIFIEDby imhunterand

References (2)

Core 2
Core References
Exploit, Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/aba3dd58-7a8e-4129-add5-4dd5972c0426
Exploit, Third Party Advisory
https://hackerone.com/reports/1590237

Scores

CVSS v3 5.3
EPSS 0.0169
EPSS Percentile 74.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-639
Status published
Products (1)
automattic/sensei_lms < 4.5.0
Published Aug 29, 2022
Tracked Since Feb 18, 2026