Unauthenticated Email Template Leak Vulnerability in Sensei LMS WordPress Plugin
CVE-2024-7786

5.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Sensei Lms
Vendor: CVE Published:; 4 September 2024

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 27%

Summary

The Sensei LMS WordPress plugin, prior to version 4.24.2, features improper access controls in certain REST API routes. This vulnerability enables unauthenticated attackers to gain access to sensitive email templates, potentially leading to information exposure. Proper security measures and updates are essential to safeguard against this type of unauthorized access, ensuring the integrity and confidentiality of user data.

Affected Version(s)

Sensei LMS 0 < 4.24.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-7786 - Proof of Concept

References

https://wpscan.com/vulnerability/f44e6f8f-3ef2-45c9-ae9c-...

exploitvdb-entrytechnical-description

EPSS Score

27% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Sep 4, 2024
👾
Exploit known to exist
Sep 4, 2024
Vulnerability published
Sep 4, 2024
Vulnerability Reserved
Aug 14, 2024

Credit

Sushmita Poudel

WPScan