Skip to content

karlemilnikka/CVE-2024-1208-and-CVE-2024-1210

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 

Repository files navigation

CVE-2024-1208 and CVE-2024-1210

Sensitive Information Exposure via API in LearnDash. Unauthenticated visitors can browse the quizzes and quiz questions without being enrolled in a connected course.

  • Vulnerability: CVE-2024-1208 and CVE-2024-1210 Sensitive Information Exposure via API
  • CVSS: 5.3 (Medium)
  • Software: LearnDash (sfwd-lms)
  • Affected versions: <= 4.10.2
  • Patched version: 4.10.3
  • Developer: LearnDash
  • Researcher: Karl Emil Nikka, Nikka Systems
  • Publicly published: 2024-02-05
  • Last updated: 2024-02-05

Overview

Anyone, even unauthenticated visitors, can see all LearnDash quizzes and LearnDash quiz questions. Since the quiz questions are public, they cannot be used to verify a student’s knowledge.

Background information

LearnDash is a Learning Management System plugin for WordPress. It supports two different types of quizzes. The older quiz type is called sfwd-quiz and relies on linked questions (sfwd-question). The newer quiz type stores the quiz along with its questions as ld-exam posts.

LearnDash has three REST APIs: /wp/v2/, /ldlms/v1/, and /ldlms/v2/ (currently in beta). All APIs, including the beta API, are enabled by default. The /ldlms/v1/ and /ldlms/v2/ APIs can be disabled for specific post types using the learndash_rest_api_enabled filter (see class-ld-rest-api.php).

Vulnerability

The affected versions of LearnDash (<=4.10.2) publish all quizzes and quiz questions for unauthenticated visitors. A visitor can browse (read) all questions by calling the endpoints for sfwd-question and ld-exam over the /wp/v2/ REST API. This API is enabled by default.

https://example.com/wp-json/wp/v2/sfwd-question
https://example.com/wp-json/wp/v2/ld-exam

A visitor can also browse (read) all quizzes by calling the sfwd-quiz endpoint over the /ldlms/v1/ API. This API is enabled by default.

https://example.com/wp-json/ldlms/v1/sfwd-quiz

A visitor can also access quizzes over the /ldlms/v2/ API if the visitor knows the quiz post ID (which is just an incrementing integer).

The /ldlms/v1/ and /ldlms/v2/ APIs can be disabled using the learndash_rest_api_enabled filter, but that opens a new data leak. If an administrator disables the /ldlms/v1/ and /ldlms/v2/ API for any post type, LearnDash publishes all REST API accessible LearnDash content over the /wp/v2/ API for unauthenticated visitors, including lessons and topics.

Patches

LearnDash 4.10.2 was released on 2024-01-08. It didn’t address the data leaks, though it made it possible to disable the /ldlms/v1/ and /ldlms/v2/ APIs without revealing even more information through the /wp/v2/ API.

LearnDash 4.10.3 was released on 2024-01-31 and addressed the vulnerabilities.

Timeline

  • 2023-12-25 I reported CVE-2024-1208, CVE-2024-1209 and CVE-2024-1210 to LearnDash’s support (according to Project Zero’s 90-day responsible disclosure policy). I included all three vulnerabilities in the same report. The vulnerabilities were later broken up and assigned three different CVE IDs by Wordfence.
  • 2023-12-25 I submitted the vulnerabilities to Wordfence’s CNA. I declined participating in their bug-bounty program.
  • 2023-12-27 LearnDash’s support replied and confirmed they had passed the report to the developers.
  • 2024-01-03 LearnDash confirmed the vulnerabilities.
  • 2024-01-04 LearnDash reached out to let me know they would prioritize fixing the assignments vulnerability (CVE-2024-1209).
  • 2024-01-08 LearnDash released LearnDash 4.10.2, partially addressing CVE-2024-1209 and fixing the issue related to the learndash_rest_api_enabled filter.
  • 2024-01-31 LearnDash released LearnDash 4.10.3, successfully addressing the remaining parts of all three vulnerabilities.
  • 2024-02-02 Wordfence added the vulnerabilities to the CVE database.
  • 2024-02-05 I published this report.

LearnDash handled the vulnerability reports well and addressed the vulnerabilities within the 90-day responsible disclosure window.

About

Sensitive Information Exposure via API in LearnDash.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published