WordPress Plugin Vulnerabilities

LMS by Masteriyo < 1.6.8 - Information Exposure

Description

The plugin does not have proper authorization in one some of its REST API endpoints, making it possible for any students to retrieve email addresses of other students

Proof of Concept

Affects Plugins

Plugin icon
learning-management-system
Fixed in 1.6.8

References

CVE
CVE-2023-3345

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Yassir Sbai Fahim
Submitter
Yassir Sbai Fahim
Submitter website
https://iduzzel.com/
Submitter twitter
@iduzzel
Verified
Yes
WPVDB ID
0d07423e-98d2-43a3-824d-562747a3d65a

Timeline

Publicly Published
2023-07-10 (about 2 years ago)
Added
2023-07-10 (about 2 years ago)
Last Updated
2024-08-30 (about 1 year ago)

Other

Published
Title
Published
2023-09-08
Title
EWWW Image Optimizer < 7.2.1 - Sensitive Information Exposure
Published
2023-11-28
Title
Aruba HiSpeed Cache < 2.0.7 - Unauthenticated Log File Access
Published
2024-11-14
Title
Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders < 6.0.10 - Authenticated (Contributor+) Sensitive Information Exposure
Published
2024-11-08
Title
CE21 Suite <= 2.2.0 - JWT Token Disclosure
Published
2025-01-06
Title
Elementor AI Addons – 70 Widgets, Premium Templates, Ultimate Elements <= 2.2.1 - Authenticated (Contributor+) Private Templates Content Disclosure