First published: Mon Aug 29 2022(Updated: )
The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and student
Credit: contact@wpscan.com
Affected Software | Affected Version | How to fix |
---|---|---|
Automattic Sensei Lms | <4.5.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this issue is CVE-2022-2080.
The severity of CVE-2022-2080 is medium with a CVSS score of 4.3.
The Sensei LMS WordPress plugin version up to exclusive 4.5.2 is affected by CVE-2022-2080.
CVE-2022-2080 allows any authenticated user to send messages to arbitrary private conversations via an IDOR attack, bypassing the sender verification.
No, attackers exploiting CVE-2022-2080 are not able to see responses or messages.