Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-1208 PoC — LearnDash LMS <= 4.10.2 - Sensitive Information Exposure via API

Source
https://github.com/karlemilnikka/CVE-2024-1208-and-CVE-2024-1210
Associated Vulnerability
Title:LearnDash LMS <= 4.10.2 - Sensitive Information Exposure via API (CVE-2024-1208)
Description:The LearnDash LMS plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.10.2 via API. This makes it possible for unauthenticated attackers to obtain access to quiz questions.
Description
Sensitive Information Exposure via API in LearnDash.
Readme
# CVE-2024-1208 and CVE-2024-1210
*Sensitive Information Exposure via API in LearnDash. Unauthenticated visitors can browse the quizzes and quiz questions without being enrolled in a connected course.*

- Vulnerability: [CVE-2024-1208](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/sfwd-lms/learndash-lms-4102-sensitive-information-exposure-via-api) and [CVE-2024-1210](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/sfwd-lms/learndash-lms-4101-sensitive-information-exposure-via-api) Sensitive Information Exposure via API
- CVSS: 5.3 (Medium)
- Software: LearnDash (sfwd-lms)
- Affected versions: <= 4.10.2
- Patched version: 4.10.3
- Developer: LearnDash
- Researcher: Karl Emil Nikka, Nikka Systems
- Publicly published: 2024-02-05
- Last updated: 2024-02-05

## Overview

Anyone, even unauthenticated visitors, can see all LearnDash quizzes and LearnDash quiz questions. Since the quiz questions are public, they cannot be used to verify a student’s knowledge.

## Background information

LearnDash is a Learning Management System plugin for WordPress. It supports two different types of quizzes. The older quiz type is called sfwd-quiz and relies on linked questions (sfwd-question). The newer quiz type stores the quiz along with its questions as ld-exam posts.

LearnDash has three REST APIs: /wp/v2/, /ldlms/v1/, and /ldlms/v2/ (currently in beta). All APIs, including the beta API, are enabled by default. The /ldlms/v1/ and /ldlms/v2/ APIs can be disabled for specific post types using the learndash_rest_api_enabled filter (see class-ld-rest-api.php).

## Vulnerability

The affected versions of LearnDash (<=4.10.2) publish all quizzes and quiz questions for unauthenticated visitors. A visitor can browse (read) all questions by calling the endpoints for sfwd-question and ld-exam over the /wp/v2/ REST API. This API is enabled by default.

```
https://example.com/wp-json/wp/v2/sfwd-question
```

```
https://example.com/wp-json/wp/v2/ld-exam
```

A visitor can also browse (read) all quizzes by calling the sfwd-quiz endpoint over the /ldlms/v1/ API. This API is enabled by default.

```
https://example.com/wp-json/ldlms/v1/sfwd-quiz
```

A visitor can also access quizzes over the /ldlms/v2/ API if the visitor knows the quiz post ID (which is just an incrementing integer).

The /ldlms/v1/ and /ldlms/v2/ APIs can be disabled using the learndash_rest_api_enabled filter, but that opens a new data leak. If an administrator disables the /ldlms/v1/ and /ldlms/v2/ API for any post type, LearnDash publishes all REST API accessible LearnDash content over the /wp/v2/ API for unauthenticated visitors, including lessons and topics.

## Patches

LearnDash 4.10.2 was released on 2024-01-08. It didn’t address the data leaks, though it made it possible to disable the /ldlms/v1/ and /ldlms/v2/ APIs without revealing even more information through the /wp/v2/ API.

LearnDash 4.10.3 was released on 2024-01-31 and addressed the vulnerabilities.

## Timeline

- 2023-12-25 I reported CVE-2024-1208, CVE-2024-1209 and CVE-2024-1210 to LearnDash’s support (according to Project Zero’s 90-day responsible disclosure policy). I included all three vulnerabilities in the same report. The vulnerabilities were later broken up and assigned three different CVE IDs by Wordfence.
- 2023-12-25 I submitted the vulnerabilities to Wordfence’s CNA. I declined participating in their bug-bounty program.
- 2023-12-27 LearnDash’s support replied and confirmed they had passed the report to the developers.
- 2024-01-03 LearnDash confirmed the vulnerabilities.
- 2024-01-04 LearnDash reached out to let me know they would prioritize fixing the assignments vulnerability (CVE-2024-1209).
- 2024-01-08 LearnDash released LearnDash 4.10.2, partially addressing CVE-2024-1209 and fixing the issue related to the learndash_rest_api_enabled filter. 
- 2024-01-31 LearnDash released LearnDash 4.10.3, successfully addressing the remaining parts of all three vulnerabilities. 
- 2024-02-02 Wordfence added the vulnerabilities to the CVE database.
- 2024-02-05 I published this report.

LearnDash handled the vulnerability reports well and addressed the vulnerabilities within the 90-day responsible disclosure window.
File Snapshot

 [4.0K]  /data/pocs/0d016890607efb6216901a58e82c2bc9fc0aaf3c
└── [4.2K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →