Sensei LMS < 4.20.0 - Teacher+ Users Email Address Disclosure

A teacher (a user with the Teacher role in Sensei LMS) navigates to the Students page in the WordPress admin area. Due to missing access controls or improper data filtering, the page returns the full list of all registered users on the blog, including their email addresses, rather than only the students enrolled in that teacher's courses. The attacker does not need to be an administrator; the Teacher role is sufficient to trigger the disclosure [patch_id=1888697].

The patch provided only updates changelog and readme files for version 4.20.0, adding a note about an experimental High-Performance Progress Storage feature. The actual code change that fixes the information disclosure vulnerability is not shown in this patch bundle. The advisory states that the Sensei LMS WordPress plugin before version 4.20.0 discloses all blog users' names and email addresses to teachers on the students page.

The supplied patch only updates changelog entries and does not contain the actual code diff that fixes the vulnerability. Based on the advisory, the fix in version 4.20.0 restricts the user data returned on the Students page so that teachers can only see users who are actually enrolled in their courses, rather than every blog user. The patch likely adds a capability check or a query filter to the endpoint that populates the student list [patch_id=1888697].