Search

Find a vulnerability

Search criteria

    8 vulnerabilities found for Sensei LMS by Unknown

    CVE-2024-8009 (GCVE-0-2024-8009)

    Vulnerability from nvd – Published: 2025-05-15 20:09 – Updated: 2025-11-13 20:58
    VLAI
    Title
    Sensei LMS < 4.20.0 - Teacher+ Users Email Address Disclosure
    Summary
    The Sensei LMS WordPress plugin before 4.20.0 disclose all users of the blog including their email address to teachers on the students page
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/737bb010-b2fa-4b… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Sensei LMS Affected: 0 , < 4.20.0 (semver)
    Create a notification for this product.
    Credits
    Li Xuhang WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8009",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-16T15:16:44.567248Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-13T20:58:53.467Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Sensei LMS",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "4.20.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Li Xuhang"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Sensei LMS  WordPress plugin before 4.20.0 disclose all users of the blog including their email address to teachers on the students page"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-15T20:09:47.142Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/737bb010-b2fa-4bf4-b124-5fbba67cf935/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Sensei LMS \u003c 4.20.0 - Teacher+ Users Email Address Disclosure",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2024-8009",
        "datePublished": "2025-05-15T20:09:47.142Z",
        "dateReserved": "2024-08-20T12:29:53.471Z",
        "dateUpdated": "2025-11-13T20:58:53.467Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-0466 (GCVE-0-2025-0466)

    Vulnerability from nvd – Published: 2025-02-04 06:00 – Updated: 2025-08-27 12:00
    VLAI
    Title
    Sensei LMS < 4.24.4 - Unauthenticated sensei_email/sensei_message Disclosure
    Summary
    The Sensei LMS WordPress plugin before 4.24.4 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak sensei_email and sensei_message Information.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/53ab86dc-1195-4b… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Sensei LMS Affected: 0 , < 4.24.4 (semver)
    Create a notification for this product.
    Credits
    Li Xuhang WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0466",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-04T18:18:36.946930Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-04T18:20:35.288Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Sensei LMS",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "4.24.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Li Xuhang"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Sensei LMS WordPress plugin before 4.24.4 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak sensei_email and sensei_message Information."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-27T12:00:27.039Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/53ab86dc-1195-4ba0-8eda-6a0d7b45c45f/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Sensei LMS \u003c 4.24.4 - Unauthenticated sensei_email/sensei_message Disclosure",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2025-0466",
        "datePublished": "2025-02-04T06:00:11.861Z",
        "dateReserved": "2025-01-14T08:58:47.855Z",
        "dateUpdated": "2025-08-27T12:00:27.039Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7786 (GCVE-0-2024-7786)

    Vulnerability from nvd – Published: 2024-09-04 06:00 – Updated: 2025-08-27 12:00
    VLAI
    Title
    Sensei LMS < 4.24.2 - Unauthenticated Email Template Leak
    Summary
    The Sensei LMS WordPress plugin before 4.24.2 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak email templates.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/f44e6f8f-3ef2-45… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Sensei LMS Affected: 0 , < 4.24.2 (semver)
    Create a notification for this product.
    automattic sensei_lms Affected: 0 , < 4.24.2 (semver)
        cpe:2.3:a:automattic:sensei_lms:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Sushmita Poudel WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:automattic:sensei_lms:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sensei_lms",
                "vendor": "automattic",
                "versions": [
                  {
                    "lessThan": "4.24.2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7786",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-04T14:16:06.300640Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-04T14:17:10.670Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Sensei LMS",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "4.24.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sushmita Poudel"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Sensei LMS  WordPress plugin before 4.24.2 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak email templates."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-27T12:00:45.823Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/f44e6f8f-3ef2-45c9-ae9c-9403305a548a/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Sensei LMS \u003c 4.24.2 - Unauthenticated Email Template Leak",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2024-7786",
        "datePublished": "2024-09-04T06:00:04.429Z",
        "dateReserved": "2024-08-14T08:29:31.987Z",
        "dateUpdated": "2025-08-27T12:00:45.823Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2034 (GCVE-0-2022-2034)

    Vulnerability from nvd – Published: 2022-08-29 14:40 – Updated: 2024-08-03 00:24
    VLAI
    Title
    Sensei LMS < 4.5.0 - Unauthenticated Private Messages Disclosure via Rest API
    Summary
    The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers
    Severity
    No CVSS data available.
    Assigner
    References
    Impacted products
    Vendor Product Version
    Unknown Sensei LMS Affected: 0 , < 4.5.0 (custom)
    Create a notification for this product.
    Credits
    Veshraj Ghimire WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:24:43.797Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "exploit",
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/aba3dd58-7a8e-4129-add5-4dd5972c0426"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/1590237"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "product": "Sensei LMS",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "4.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Veshraj Ghimire"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-04T08:29:52.463Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/aba3dd58-7a8e-4129-add5-4dd5972c0426"
            },
            {
              "url": "https://hackerone.com/reports/1590237"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Sensei LMS \u003c 4.5.0 - Unauthenticated Private Messages Disclosure via Rest API",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2034",
        "datePublished": "2022-08-29T14:40:26.000Z",
        "dateReserved": "2022-06-08T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:24:43.797Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-8009 (GCVE-0-2024-8009)

    Vulnerability from cvelistv5 – Published: 2025-05-15 20:09 – Updated: 2025-11-13 20:58
    VLAI
    Title
    Sensei LMS < 4.20.0 - Teacher+ Users Email Address Disclosure
    Summary
    The Sensei LMS WordPress plugin before 4.20.0 disclose all users of the blog including their email address to teachers on the students page
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/737bb010-b2fa-4b… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Sensei LMS Affected: 0 , < 4.20.0 (semver)
    Create a notification for this product.
    Credits
    Li Xuhang WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 4.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "LOW",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8009",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-16T15:16:44.567248Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-11-13T20:58:53.467Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Sensei LMS",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "4.20.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Li Xuhang"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Sensei LMS  WordPress plugin before 4.20.0 disclose all users of the blog including their email address to teachers on the students page"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-863 Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-15T20:09:47.142Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/737bb010-b2fa-4bf4-b124-5fbba67cf935/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Sensei LMS \u003c 4.20.0 - Teacher+ Users Email Address Disclosure",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2024-8009",
        "datePublished": "2025-05-15T20:09:47.142Z",
        "dateReserved": "2024-08-20T12:29:53.471Z",
        "dateUpdated": "2025-11-13T20:58:53.467Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-0466 (GCVE-0-2025-0466)

    Vulnerability from cvelistv5 – Published: 2025-02-04 06:00 – Updated: 2025-08-27 12:00
    VLAI
    Title
    Sensei LMS < 4.24.4 - Unauthenticated sensei_email/sensei_message Disclosure
    Summary
    The Sensei LMS WordPress plugin before 4.24.4 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak sensei_email and sensei_message Information.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/53ab86dc-1195-4b… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Sensei LMS Affected: 0 , < 4.24.4 (semver)
    Create a notification for this product.
    Credits
    Li Xuhang WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "LOW",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-0466",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-02-04T18:18:36.946930Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-04T18:20:35.288Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Sensei LMS",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "4.24.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Li Xuhang"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Sensei LMS WordPress plugin before 4.24.4 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak sensei_email and sensei_message Information."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-27T12:00:27.039Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/53ab86dc-1195-4ba0-8eda-6a0d7b45c45f/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Sensei LMS \u003c 4.24.4 - Unauthenticated sensei_email/sensei_message Disclosure",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2025-0466",
        "datePublished": "2025-02-04T06:00:11.861Z",
        "dateReserved": "2025-01-14T08:58:47.855Z",
        "dateUpdated": "2025-08-27T12:00:27.039Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7786 (GCVE-0-2024-7786)

    Vulnerability from cvelistv5 – Published: 2024-09-04 06:00 – Updated: 2025-08-27 12:00
    VLAI
    Title
    Sensei LMS < 4.24.2 - Unauthenticated Email Template Leak
    Summary
    The Sensei LMS WordPress plugin before 4.24.2 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak email templates.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/f44e6f8f-3ef2-45… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Sensei LMS Affected: 0 , < 4.24.2 (semver)
    Create a notification for this product.
    automattic sensei_lms Affected: 0 , < 4.24.2 (semver)
        cpe:2.3:a:automattic:sensei_lms:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Sushmita Poudel WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:automattic:sensei_lms:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "sensei_lms",
                "vendor": "automattic",
                "versions": [
                  {
                    "lessThan": "4.24.2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 7.5,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7786",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-04T14:16:06.300640Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-04T14:17:10.670Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Sensei LMS",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "4.24.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Sushmita Poudel"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Sensei LMS  WordPress plugin before 4.24.2 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak email templates."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-27T12:00:45.823Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/f44e6f8f-3ef2-45c9-ae9c-9403305a548a/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Sensei LMS \u003c 4.24.2 - Unauthenticated Email Template Leak",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2024-7786",
        "datePublished": "2024-09-04T06:00:04.429Z",
        "dateReserved": "2024-08-14T08:29:31.987Z",
        "dateUpdated": "2025-08-27T12:00:45.823Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-2034 (GCVE-0-2022-2034)

    Vulnerability from cvelistv5 – Published: 2022-08-29 14:40 – Updated: 2024-08-03 00:24
    VLAI
    Title
    Sensei LMS < 4.5.0 - Unauthenticated Private Messages Disclosure via Rest API
    Summary
    The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers
    Severity
    No CVSS data available.
    Assigner
    References
    Impacted products
    Vendor Product Version
    Unknown Sensei LMS Affected: 0 , < 4.5.0 (custom)
    Create a notification for this product.
    Credits
    Veshraj Ghimire WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T00:24:43.797Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "exploit",
                  "vdb-entry",
                  "technical-description",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/aba3dd58-7a8e-4129-add5-4dd5972c0426"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://hackerone.com/reports/1590237"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "product": "Sensei LMS",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "4.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Veshraj Ghimire"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-07-04T08:29:52.463Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/aba3dd58-7a8e-4129-add5-4dd5972c0426"
            },
            {
              "url": "https://hackerone.com/reports/1590237"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Sensei LMS \u003c 4.5.0 - Unauthenticated Private Messages Disclosure via Rest API",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2022-2034",
        "datePublished": "2022-08-29T14:40:26.000Z",
        "dateReserved": "2022-06-08T00:00:00.000Z",
        "dateUpdated": "2024-08-03T00:24:43.797Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }