Sensitive Information Exposure via API in LearnDash. Unauthenticated visitors can browse the quizzes and quiz questions without being enrolled in a connected course.
- Vulnerability: CVE-2024-1208 and CVE-2024-1210 Sensitive Information Exposure via API
- CVSS: 5.3 (Medium)
- Software: LearnDash (sfwd-lms)
- Affected versions: <= 4.10.2
- Patched version: 4.10.3
- Developer: LearnDash
- Researcher: Karl Emil Nikka, Nikka Systems
- Publicly published: 2024-02-05
- Last updated: 2024-02-05
Anyone, even unauthenticated visitors, can see all LearnDash quizzes and LearnDash quiz questions. Since the quiz questions are public, they cannot be used to verify a student’s knowledge.
LearnDash is a Learning Management System plugin for WordPress. It supports two different types of quizzes. The older quiz type is called sfwd-quiz and relies on linked questions (sfwd-question). The newer quiz type stores the quiz along with its questions as ld-exam posts.
LearnDash has three REST APIs: /wp/v2/, /ldlms/v1/, and /ldlms/v2/ (currently in beta). All APIs, including the beta API, are enabled by default. The /ldlms/v1/ and /ldlms/v2/ APIs can be disabled for specific post types using the learndash_rest_api_enabled filter (see class-ld-rest-api.php).
The affected versions of LearnDash (<=4.10.2) publish all quizzes and quiz questions for unauthenticated visitors. A visitor can browse (read) all questions by calling the endpoints for sfwd-question and ld-exam over the /wp/v2/ REST API. This API is enabled by default.
https://example.com/wp-json/wp/v2/sfwd-question
https://example.com/wp-json/wp/v2/ld-exam
A visitor can also browse (read) all quizzes by calling the sfwd-quiz endpoint over the /ldlms/v1/ API. This API is enabled by default.
https://example.com/wp-json/ldlms/v1/sfwd-quiz
A visitor can also access quizzes over the /ldlms/v2/ API if the visitor knows the quiz post ID (which is just an incrementing integer).
The /ldlms/v1/ and /ldlms/v2/ APIs can be disabled using the learndash_rest_api_enabled filter, but that opens a new data leak. If an administrator disables the /ldlms/v1/ and /ldlms/v2/ API for any post type, LearnDash publishes all REST API accessible LearnDash content over the /wp/v2/ API for unauthenticated visitors, including lessons and topics.
LearnDash 4.10.2 was released on 2024-01-08. It didn’t address the data leaks, though it made it possible to disable the /ldlms/v1/ and /ldlms/v2/ APIs without revealing even more information through the /wp/v2/ API.
LearnDash 4.10.3 was released on 2024-01-31 and addressed the vulnerabilities.
- 2023-12-25 I reported CVE-2024-1208, CVE-2024-1209 and CVE-2024-1210 to LearnDash’s support (according to Project Zero’s 90-day responsible disclosure policy). I included all three vulnerabilities in the same report. The vulnerabilities were later broken up and assigned three different CVE IDs by Wordfence.
- 2023-12-25 I submitted the vulnerabilities to Wordfence’s CNA. I declined participating in their bug-bounty program.
- 2023-12-27 LearnDash’s support replied and confirmed they had passed the report to the developers.
- 2024-01-03 LearnDash confirmed the vulnerabilities.
- 2024-01-04 LearnDash reached out to let me know they would prioritize fixing the assignments vulnerability (CVE-2024-1209).
- 2024-01-08 LearnDash released LearnDash 4.10.2, partially addressing CVE-2024-1209 and fixing the issue related to the learndash_rest_api_enabled filter.
- 2024-01-31 LearnDash released LearnDash 4.10.3, successfully addressing the remaining parts of all three vulnerabilities.
- 2024-02-02 Wordfence added the vulnerabilities to the CVE database.
- 2024-02-05 I published this report.
LearnDash handled the vulnerability reports well and addressed the vulnerabilities within the 90-day responsible disclosure window.