WordPress Plugin Vulnerabilities

Sensei LMS < 4.24.4 - Unauthenticated sensei_email/sensei_message Disclosure

Description

The plugin does not properly protect some its REST API routes, allowing unauthenticated attackers to leak sensei_email and sensei_message Information.

Proof of Concept

Affects Plugins

Plugin icon
sensei-lms
Fixed in 4.24.4

References

CVE
CVE-2025-0466

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Li Xuhang
Submitter
Li Xuhang
Verified
Yes
WPVDB ID
53ab86dc-1195-4ba0-8eda-6a0d7b45c45f

Timeline

Publicly Published
2025-01-14 (about 11 months ago)
Added
2025-01-14 (about 11 months ago)
Last Updated
2025-08-26 (about 4 months ago)

Other

Published
Title
Published
2025-11-11
Title
Alt Text Generator AI – Auto Generate & Bulk Update Alt Texts For Images < 1.8.4 - Missing Authorization to Authenticated (Subscriber+) API Key Deletion
Published
2024-04-09
Title
Essential Grid < 3.1.2 - Unauthenticated Private Post Disclosure
Published
2024-12-11
Title
Child Theme Creator by Orbisius < 1.5.6 - Missing Authorization to Authenticated (Subscriber+) Cloud Snippet Update/Delete
Published
2023-03-21
Title
JS Job Manager < 2.0.1 - Missing Authorization
Published
2025-12-12
Title
Directory Pro <= 2.5.6 - Missing Authorization