CVE-2024-8009 – The Sensei LMS WordPress plugin before version ... (How to Fix)

Q: What is the severity of CVE-2024-8009?

CVE-2024-8009 has a CVSS score of 4.3 (MEDIUM). The Sensei LMS WordPress plugin before version 4.20.0 exposes all user email addresses to teachers on the students page. This information disclosure vulnerability affects WordPress sites using the vulnerable plugin version, potentially exposing student and user privacy.

📋 TL;DR

The Sensei LMS WordPress plugin before version 4.20.0 exposes all user email addresses to teachers on the students page. This information disclosure vulnerability affects WordPress sites using the vulnerable plugin version, potentially exposing student and user privacy.

💻 Affected Systems

Products:

Sensei LMS WordPress plugin

Versions: All versions before 4.20.0

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Sensei LMS plugin and teacher role access to students page.

📦 What is this software?

Sensei Lms by Automattic

View all CVEs affecting Sensei Lms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

All user email addresses are exposed to teachers, potentially enabling targeted phishing campaigns, spam, or harassment against students and other users.

🟠

Likely Case

Teachers gain unauthorized access to student email addresses, violating privacy expectations and potentially GDPR/regulatory compliance.

🟢

If Mitigated

Limited exposure if only trusted teachers have access, but still violates privacy principles and data protection requirements.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires teacher-level access to view the students page where the disclosure occurs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.20.0

Vendor Advisory: https://wpscan.com/vulnerability/737bb010-b2fa-4bf4-b124-5fbba67cf935/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Sensei LMS plugin. 4. Click 'Update Now' if available, or manually update to version 4.20.0 or later.

🔧 Temporary Workarounds

Restrict Teacher Access

all

Temporarily remove teacher access to students page until patched

Use WordPress role editor plugin to modify teacher capabilities

🧯 If You Can't Patch

Disable Sensei LMS plugin temporarily
Implement additional access controls to restrict teacher access to sensitive areas

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Sensei LMS version number

Check Version:

wp plugin list --name=sensei-lms --field=version

Verify Fix Applied:

Verify plugin version is 4.20.0 or higher and test teacher access to students page

📡 Detection & Monitoring

Log Indicators:

Unusual teacher account access patterns to students page
Multiple user data queries from teacher accounts

Network Indicators:

HTTP requests to /wp-admin/admin.php?page=sensei_learners

SIEM Query:

source="wordpress" AND uri_path="/wp-admin/admin.php" AND query="page=sensei_learners"

📊 Metadata

CVE ID: CVE-2024-8009

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Score: 0.06% exploit probability (18.2th percentile)

Published: May 15, 2025

Last Updated: November 13, 2025

🔗 References

https://wpscan.com/vulnerability/737bb010-b2fa-4bf4-b124-5fbba67cf935/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON