Sensei LMS < 4.5.2 - Arbitrary Private Message Sending via IDOR
Description
The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and student
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <4.5.2
Patches
Vulnerability mechanics
Root cause
"Missing authorization check on the sender of a private message allows any authenticated user to send messages to arbitrary conversations."
Attack vector
An authenticated user can send a private message to an arbitrary conversation by manipulating the conversation identifier in the request. The plugin did not verify that the sender is either the teacher or the original participant of that conversation, enabling an Insecure Direct Object Reference (IDOR) attack. The attacker only needs to be logged into WordPress and know or guess the conversation ID; they cannot read existing messages, only inject new ones.
Affected code
The patch provided only bumps the version number and updates changelog entries; no source code changes to the private messaging logic are included in this diff. The advisory states that the private message sender check was missing in versions before 4.5.2, but the exact file or function responsible is not visible in this patch.
What the fix does
The supplied patch only updates version strings and changelog entries; it does not contain any code diff that shows how the sender authorization was added. Based on the advisory, the fix in version 4.5.2 must have introduced a check that ensures the current user is either the teacher or the original sender of the conversation before allowing a message to be sent. Without the actual code change visible, the precise mechanism cannot be confirmed from this bundle alone.
Preconditions
- authAttacker must be an authenticated WordPress user.
- inputAttacker must know or guess the target private conversation ID.
Generated on May 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- hackerone.com/reports/1592596mitrex_refsource_MISC
- wpscan.com/vulnerability/5395d196-a39a-4a58-913e-5b5b9d6123a5mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.