Sensei LMS < 4.5.0 - Unauthenticated Private Messages Disclosure via Rest API
Description
The Sensei LMS WordPress plugin before 4.5.0 does not have proper permissions set in one of its REST endpoint, allowing unauthenticated users to access private messages sent to teachers
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <4.5.0
Patches
Vulnerability mechanics
Root cause
"Missing permission checks on a REST API endpoint allow unauthenticated access to private teacher messages."
Attack vector
An unauthenticated attacker can send a crafted REST API request to the affected endpoint, which lacks proper permission checks. Because the endpoint does not verify the user's identity or role, the attacker can retrieve private messages intended for teachers. The attack requires no authentication, no special network position, and no prior interaction with the system.
Affected code
The patch only updates the version number in `package-lock.json` from 4.4.3 to 4.5.0. The actual code fix for the REST endpoint permission issue is not visible in this diff; the advisory indicates the fix was applied in version 4.5.0 of the Sensei LMS WordPress plugin.
What the fix does
The patch shown only increments the plugin version from 4.4.3 to 4.5.0 in `package-lock.json`. The actual security fix—adding proper permission checks to the REST endpoint—is not included in this diff but was shipped as part of the 4.5.0 release. By enforcing authorization on the endpoint, the fix ensures that only authenticated users with the correct role can access private teacher messages.
Preconditions
- networkThe attacker must be able to send HTTP requests to the WordPress REST API endpoint.
- authNo authentication or prior access is required.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- wpscan.com/vulnerability/aba3dd58-7a8e-4129-add5-4dd5972c0426mitreexploitvdb-entrytechnical-description
- hackerone.com/reports/1590237mitre
News mentions
0No linked articles in our index yet.