CVE-2024-35686
📋 TL;DR
This CVE describes a missing authorization vulnerability in WordPress Sensei LMS plugins that allows unauthorized users to access restricted functionality. It affects Sensei LMS and Sensei Pro (WC Paid Courses) up to specified versions. Attackers could exploit this to perform actions without proper permissions.
💻 Affected Systems
- Automattic Sensei LMS
- Automattic Sensei Pro (WC Paid Courses)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users could access administrative functions, modify course content, view sensitive student data, or manipulate payment/access controls.
Likely Case
Unauthorized users accessing course materials they shouldn't have access to, potentially viewing paid content without payment.
If Mitigated
With proper network segmentation and additional authorization layers, impact would be limited to specific plugin functionality only.
🎯 Exploit Status
Requires some level of access to WordPress (at least subscriber role). Exploitation likely involves manipulating API endpoints or URLs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Sensei LMS: 4.23.2+; Sensei Pro: 4.23.1.1.23.2+
Vendor Advisory: https://patchstack.com/database/vulnerability/sensei-lms/wordpress-sensei-lms-plugin-4-23-1-broken-access-control-vulnerability?_s_id=cve
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Sensei LMS/Sensei Pro. 4. Click 'Update Now' or manually update to latest version. 5. Clear any caching plugins/CDN caches.
🔧 Temporary Workarounds
Temporary Access Restriction
allRestrict access to WordPress admin and plugin endpoints via web application firewall or .htaccess
# Example .htaccess rule to restrict wp-admin
Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24
🧯 If You Can't Patch
- Implement strict network segmentation to isolate WordPress instance
- Add additional authentication/authorization layer (like HTTP basic auth) for admin areas
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Sensei LMS/Sensei Pro version. If version is <= affected versions, system is vulnerable.Check Version:
wp plugin list --name=sensei* --field=version (if WP-CLI installed) or check WordPress admin panelVerify Fix Applied:
Verify plugin version is updated to patched versions (Sensei LMS >= 4.23.2, Sensei Pro >= 4.23.1.1.23.2). Test restricted functionality with lower-privilege accounts.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to /wp-admin/admin-ajax.php or Sensei-specific endpoints from non-admin users
- 403 errors followed by successful 200s on restricted endpoints
Network Indicators:
- HTTP requests to Sensei API endpoints from unauthorized user agents/IPs
- Unusual POST requests to course/lesson management endpoints
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path CONTAINS "sensei") AND user_role!="administrator" AND response_code=200🔗 References
- https://patchstack.com/database/vulnerability/sensei-lms/wordpress-sensei-lms-plugin-4-23-1-broken-access-control-vulnerability?_s_id=cve
- https://patchstack.com/database/vulnerability/woothemes-sensei/wordpress-sensei-pro-wc-paid-courses-plugin-4-23-1-1-23-1-broken-access-control-vulnerability?_s_id=cve
