Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2022-2034

CWE-639Insecure Direct Object ReferenceCWE-862Missing AuthorizationCWE-119Buffer Overflow5 documents5 sources
Severity
5.3MEDIUM
EPSS
33.7%
top 3.05%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Unknown Sensei LMSAutomattic Sensei LMS
Timeline
PublishedAug 29

Description

The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5unknown/sensei_lms< 4.5.0

🔴Vulnerability Details

2
CVEList
Sensei LMS < 4.5.0 - Unauthenticated Private Messages Disclosure via Rest API2022-08-29
GHSA
GHSA-h8qw-944w-6vhw: The Sensei LMS WordPress plugin before 42022-08-29

💥Exploits & PoCs

1
Nuclei
WordPress Sensei LMS <4.5.0 - Information Disclosure

📋Vendor Advisories

1
CISA
Adobe Flash Player Memory Corruption Vulnerability2022-03-28
CVE-2022-2034 (MEDIUM CVSS 5.3) | The Sensei LMS WordPress plugin bef | cvebase.io