CVE-2020-26876
published 2020-10-07CVE-2020-26876: The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended payment step (for course videos and materials) by using the…
PriorityP178high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.20%
94.7th percentile
The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended payment step (for course videos and materials) by using the /wp-json REST API, as exploited in the wild in September 2020. This occurs because show_in_rest is enabled for custom post types (e.g., /wp-json/wp/v2/course and /wp-json/wp/v2/lesson exist).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpcoursesplugin | wp-courses | <= 2.0.27 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →HTTP GET request to /wp-json/wp/v2/lesson/1 (or any lesson/course ID) on a WordPress site running wp-courses plugin; a 200 or 404 response with Content-Type application/json and a body containing 'rest_post_invalid_id' or JSON fields 'guid', 'title', 'content', or 'excerpt' with 'rendered' key indicates the endpoint is exposed and exploitable.
- →The vulnerability is exploitable via the WordPress REST API because show_in_rest is enabled for the 'course' and 'lesson' custom post types in wp-courses plugin versions through 2.0.27, allowing unauthenticated access to protected content. ↗
- ·The Nuclei template targets lesson ID '1' as a probe, but any valid post ID for a course or lesson can be used. Defenders should monitor all requests matching /wp-json/wp/v2/course/* and /wp-json/wp/v2/lesson/* for unauthenticated access.
- ·Both HTTP 200 (successful data retrieval) and HTTP 404 (invalid ID but endpoint exists) are considered indicators of a vulnerable/exposed endpoint in the detection template.
- ·Affected versions are wp-courses plugin through 2.0.27; the fix was introduced in 2.0.29. The remediation note in the template incorrectly states version 1.0.9.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rjxr-p6mg-hvgf: The wp-courses plugin through 2
ghsa_unreviewed·2022-05-24
CVE-2020-26876 [HIGH] CWE-863 GHSA-rjxr-p6mg-hvgf: The wp-courses plugin through 2
The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended payment step (for course videos and materials) by using the /wp-json REST API, as exploited in the wild in September 2020. This occurs because show_in_rest is enabled for custom post types (e.g., /wp-json/wp/v2/course and /wp-json/wp/v2/lesson exist).
VulnCheck
wpcoursesplugin wp-courses Missing Authentication for Critical Function
vulncheck·2020·CVSS 7.5
CVE-2020-26876 [HIGH] wpcoursesplugin wp-courses Missing Authentication for Critical Function
wpcoursesplugin wp-courses Missing Authentication for Critical Function
The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended payment step (for course videos and materials) by using the /wp-json REST API, as exploited in the wild in September 2020. This occurs because show_in_rest is enabled for custom post types (e.g., /wp-json/wp/v2/course and /wp-json/wp/v2/lesson exist).
Affected: wpcoursesplugin wp-courses
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://nvd.nist.gov/vuln/detail/CVE-2020-26876; https://www.cve.org/CVERecord?id=CVE-2020-26876
No detection rules found.
Nuclei
WordPress WP Courses Plugin Information Disclosure
nuclei·CVSS 7.5
CVE-2020-26876 [HIGH] WordPress WP Courses Plugin Information Disclosure
WordPress WP Courses Plugin Information Disclosure
WordPress WP Courses Plugin < 2.0.29 contains a critical information disclosure which exposes private course videos and materials.
Template:
id: CVE-2020-26876
info:
name: WordPress WP Courses Plugin Information Disclosure
author: dwisiswant0
severity: high
description: WordPress WP Courses Plugin < 2.0.29 contains a critical information disclosure which exposes private course videos and materials.
impact: |
An attacker can exploit this vulnerability to gain sensitive information about the WordPress WP Courses Plugin.
remediation: |
Update to the latest version of the WordPress WP Courses Plugin (1.0.9) to fix the information disclosure vulnerability.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2020-26876
- https://www.exploit-db
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset/2388997https://plugins.trac.wordpress.org/changeset/2389243https://www.redtimmy.com/critical-information-disclosure-on-wp-courses-plugin-exposes-private-course-videos-and-materials/https://plugins.trac.wordpress.org/changeset/2388997https://plugins.trac.wordpress.org/changeset/2389243https://www.redtimmy.com/critical-information-disclosure-on-wp-courses-plugin-exposes-private-course-videos-and-materials/
2020-10-07
Published
Exploited in the wild