Sensei LMS < 4.24.2 – Unauthenticated Email Template Leak | CVE 2024-7786 | Plugin Vulnerabilities

Description

The plugin does not properly protect some its REST API routes, allowing unauthenticated attackers to leak email templates.

Proof of Concept

Due to improper access control on Rest API, it was possible for unauthenticated users to list the email templates on any wordpress instance with the content of it.

Go to http://<instance>/index.php/wp-json/wp/v2/sensei_email/ for viewing the ID of the email template.

Now you can visit http://<instance>/index.php/wp-json/wp/v2/sensei_email/<TemplateID> to view the contents of the email template.

Affects Plugins

Fixed in 4.24.2

References

CVE

URL

https://github.com/Automattic/sensei/commit/4176507544fa4a520db74307f147169f36cf64ca

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Sushmita Poudel

Submitter

Sushmita Poudel

Submitter website

https://susmitapoudel.com.np/

Verified

Yes

WPVDB ID

f44e6f8f-3ef2-45c9-ae9c-9403305a548a

Timeline

Publicly Published

2024-08-14 (about 1 year ago)

Added

2024-08-14 (about 1 year ago)

Last Updated

2025-08-26 (about 4 months ago)

Other

Published

Title

Published

2023-11-07

Title

Easy Social Icons < 3.2.5 - Missing Authorization via cnss_save_ajax_order

Published

2025-04-15

Title

Unlimited Timeline < 1.6.1 - Missing Authorization

Published

2025-10-10

Title

GSheetConnector For Gravity Forms < 1.3.28 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation

Published

2025-11-26

Title

WP Fastest Cache < 1.4.1 - Subscriber+ DB Cleanup Actions

Published

2025-05-07

Title

Calculate Prices based on Distance For WooCommerce < 1.3.6 - Missing Authorization