WordPress Plugin Vulnerabilities

LifterLMS < 4.21.2 - Access Other Student Grades/Answers via IDOR

Description

The plugin was affected by an IDOR issue, allowing students to see other student answers and grades

Proof of Concept

Affects Plugins

Plugin icon
lifterlms
Fixed in 4.21.2

References

CVE
CVE-2021-24562
URL
https://make.lifterlms.com/2021/05/17/lifterlms-version-4-21-2/

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Amirmuhammad vakili
Submitter
captain_hook
Submitter website
https://captainhoook.medium.com/
Verified
Yes
WPVDB ID
d45bb744-4a0d-4af0-aa16-71f7e3ea6e00

Timeline

Publicly Published
2021-05-17 (about 4 years ago)
Added
2021-07-22 (about 4 years ago)
Last Updated
2023-01-24 (about 2 years ago)

Other

Published
Title
Published
2025-01-06
Title
WP Job Portal – A Complete Recruitment System for Company or Job Board website < 2.2.6- Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2025-02-17
Title
ProfileGrid – User Profiles, Groups and Communities < 5.9.4.3 - Insecure Direct Object Reference to Authenticated (Subscriber+) Private Messages Disclosure
Published
2025-11-17
Title
Post Type Switcher < 4.0.1 - Insecure Direct Object Reference to Authenticated (Author+) Post Type Change
Published
2024-06-28
Title
Page and Post Clone < 6.1 - Insecure Direct Object Reference to Authenticated (Author+) Sensitive Information Exposure
Published
2025-11-10
Title
The Total Book Project < 1.1 - Insecure Direct Object Reference to Authenticated (Contributor+) Book Manipulation