WordPress Plugin Vulnerabilities

Sensei LMS < 4.20.0 - Teacher+ Users Email Address Disclosure

Description

The plugin disclose all users of the blog including their email address to teachers on the students page

Proof of Concept

Affects Plugins

Plugin icon
sensei-lms
Fixed in 4.20.0

References

CVE
CVE-2024-8009

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Li Xuhang
Submitter
Li Xuhang
Verified
Yes
WPVDB ID
737bb010-b2fa-4bf4-b124-5fbba67cf935

Timeline

Publicly Published
2023-12-14 (about 2 years ago)
Added
2024-08-20 (about 1 year ago)
Last Updated
2024-08-20 (about 1 year ago)

Other

Published
Title
Published
2023-05-23
Title
Go Pricing - WordPress Responsive Pricing Tables < 3.4 - Incorrect Authorization leading to Arbitrary File Upload
Published
2023-08-14
Title
Media from FTP < 11.17 - Author+ Arbitrary File Access
Published
2024-01-29
Title
Avada < 7.11.2 - Contributor+ Arbitrary File Upload
Published
2025-11-07
Title
Download Manager < 3.3.31 - Unauthenticated Cron Trigger due to Hardcoded Cron Key
Published
2021-10-27
Title
WPS Hide Login < 1.9.1 - Protection Bypass with Referer-Header