CVE-2022-2034
published 2022-08-29CVE-2022-2034: The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private…
PriorityP338medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
1.87%
76.7th percentile
The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| automattic | sensei_lms | < 4.5.0 | 4.5.0 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
cisa7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h8qw-944w-6vhw: The Sensei LMS WordPress plugin before 4
ghsa_unreviewed·2022-08-29
CVE-2022-2034 [MEDIUM] CWE-639 GHSA-h8qw-944w-6vhw: The Sensei LMS WordPress plugin before 4
The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers
CISA
Adobe Flash Player Memory Corruption Vulnerability
cisa·2022-03-28·CVSS 7.5
CVE-2012-2034 [HIGH] CWE-119 Adobe Flash Player Memory Corruption Vulnerability
Vulnerability: Adobe Flash Player Memory Corruption Vulnerability
Affected: Adobe Flash Player
Adobe Flash Player contains a memory corruption vulnerability that allows for remote code execution or denial-of-service (DoS).
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2012-2034
Remediation Due Date: 2022-04-18
No detection rules found.
Nuclei
WordPress Sensei LMS <4.5.0 - Information Disclosure
nuclei·CVSS 5.3
CVE-2022-2034 [MEDIUM] WordPress Sensei LMS <4.5.0 - Information Disclosure
WordPress Sensei LMS <4.5.0 - Information Disclosure
WordPress Sensei LMS plugin before 4.5.0 is susceptible to information disclosure. The plugin does not have proper permissions set in a REST endpoint, which can allow an attacker to access private messages.
Template:
id: CVE-2022-2034
info:
name: WordPress Sensei LMS <4.5.0 - Information Disclosure
author: imhunterand
severity: medium
description: |
WordPress Sensei LMS plugin before 4.5.0 is susceptible to information disclosure. The plugin does not have proper permissions set in a REST endpoint, which can allow an attacker to access private messages.
impact: |
Unauthenticated attackers can access private Sensei LMS messages via unprotected REST API endpoints, potentially exposing confidential student-teacher communications.
remedia
2022-08-29
Published