WordPress Plugin Vulnerabilities

Sensei LMS < 4.5.2 - Arbitrary Private Message Sending via IDOR

Description

The plugin does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and student

Proof of Concept

Affects Plugins

Plugin icon
sensei-lms
Fixed in 4.5.2

References

CVE
CVE-2022-2080
URL
https://hackerone.com/reports/1592596
YouTube Video

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
3.1 (low)

Miscellaneous

Original Researcher
Veshraj Ghimire
Submitter
Veshraj Ghimire
Submitter website
https://veshrajghimire.com.np
Submitter twitter
GhimireVeshraj
Verified
Yes
WPVDB ID
5395d196-a39a-4a58-913e-5b5b9d6123a5

Timeline

Publicly Published
2022-08-04 (about 3 years ago)
Added
2022-08-04 (about 3 years ago)
Last Updated
2023-04-12 (about 2 years ago)

Other

Published
Title
Published
2024-04-16
Title
WP-Recall – Registration, Profile, Commerce & More < 16.26.6 - Insecure Direct Object Reference
Published
2020-12-28
Title
WooCommerce < 4.7.0 - Arbitrary Order Status Disclosure via IDOR
Published
2025-05-05
Title
User Registration & Membership – Custom Registration Form, Login Form, and User Profile < 4.2.2 - Insecure Direct Object Reference to Unauthenticated Limited User Deletion
Published
2023-05-12
Title
RegistrationMagic < 5.2.1.0 - Admin+ Arbitrary Password Update via IDOR
Published
2025-07-08
Title
Support Board < 3.8.1 - Unauthenticated Authorization Bypass due to Use of Default Secret Key