关联漏洞
标题:
WordPress Plugin LearnDash LMS 安全漏洞
(CVE-2024-1208)
描述:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin LearnDash LMS 4.10.2及之前版本存在安全漏洞,该漏洞源于容易通过API暴露敏感信息,未经身份验证的攻击者可以访问测验问题。
描述
Sensitive Information Exposure via API in LearnDash.
介绍
# CVE-2024-1208 and CVE-2024-1210
*Sensitive Information Exposure via API in LearnDash. Unauthenticated visitors can browse the quizzes and quiz questions without being enrolled in a connected course.*
- Vulnerability: [CVE-2024-1208](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/sfwd-lms/learndash-lms-4102-sensitive-information-exposure-via-api) and [CVE-2024-1210](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/sfwd-lms/learndash-lms-4101-sensitive-information-exposure-via-api) Sensitive Information Exposure via API
- CVSS: 5.3 (Medium)
- Software: LearnDash (sfwd-lms)
- Affected versions: <= 4.10.2
- Patched version: 4.10.3
- Developer: LearnDash
- Researcher: Karl Emil Nikka, Nikka Systems
- Publicly published: 2024-02-05
- Last updated: 2024-02-05
## Overview
Anyone, even unauthenticated visitors, can see all LearnDash quizzes and LearnDash quiz questions. Since the quiz questions are public, they cannot be used to verify a student’s knowledge.
## Background information
LearnDash is a Learning Management System plugin for WordPress. It supports two different types of quizzes. The older quiz type is called sfwd-quiz and relies on linked questions (sfwd-question). The newer quiz type stores the quiz along with its questions as ld-exam posts.
LearnDash has three REST APIs: /wp/v2/, /ldlms/v1/, and /ldlms/v2/ (currently in beta). All APIs, including the beta API, are enabled by default. The /ldlms/v1/ and /ldlms/v2/ APIs can be disabled for specific post types using the learndash_rest_api_enabled filter (see class-ld-rest-api.php).
## Vulnerability
The affected versions of LearnDash (<=4.10.2) publish all quizzes and quiz questions for unauthenticated visitors. A visitor can browse (read) all questions by calling the endpoints for sfwd-question and ld-exam over the /wp/v2/ REST API. This API is enabled by default.
```
https://example.com/wp-json/wp/v2/sfwd-question
```
```
https://example.com/wp-json/wp/v2/ld-exam
```
A visitor can also browse (read) all quizzes by calling the sfwd-quiz endpoint over the /ldlms/v1/ API. This API is enabled by default.
```
https://example.com/wp-json/ldlms/v1/sfwd-quiz
```
A visitor can also access quizzes over the /ldlms/v2/ API if the visitor knows the quiz post ID (which is just an incrementing integer).
The /ldlms/v1/ and /ldlms/v2/ APIs can be disabled using the learndash_rest_api_enabled filter, but that opens a new data leak. If an administrator disables the /ldlms/v1/ and /ldlms/v2/ API for any post type, LearnDash publishes all REST API accessible LearnDash content over the /wp/v2/ API for unauthenticated visitors, including lessons and topics.
## Patches
LearnDash 4.10.2 was released on 2024-01-08. It didn’t address the data leaks, though it made it possible to disable the /ldlms/v1/ and /ldlms/v2/ APIs without revealing even more information through the /wp/v2/ API.
LearnDash 4.10.3 was released on 2024-01-31 and addressed the vulnerabilities.
## Timeline
- 2023-12-25 I reported CVE-2024-1208, CVE-2024-1209 and CVE-2024-1210 to LearnDash’s support (according to Project Zero’s 90-day responsible disclosure policy). I included all three vulnerabilities in the same report. The vulnerabilities were later broken up and assigned three different CVE IDs by Wordfence.
- 2023-12-25 I submitted the vulnerabilities to Wordfence’s CNA. I declined participating in their bug-bounty program.
- 2023-12-27 LearnDash’s support replied and confirmed they had passed the report to the developers.
- 2024-01-03 LearnDash confirmed the vulnerabilities.
- 2024-01-04 LearnDash reached out to let me know they would prioritize fixing the assignments vulnerability (CVE-2024-1209).
- 2024-01-08 LearnDash released LearnDash 4.10.2, partially addressing CVE-2024-1209 and fixing the issue related to the learndash_rest_api_enabled filter.
- 2024-01-31 LearnDash released LearnDash 4.10.3, successfully addressing the remaining parts of all three vulnerabilities.
- 2024-02-02 Wordfence added the vulnerabilities to the CVE database.
- 2024-02-05 I published this report.
LearnDash handled the vulnerability reports well and addressed the vulnerabilities within the 90-day responsible disclosure window.
文件快照
[4.0K] /data/pocs/0d016890607efb6216901a58e82c2bc9fc0aaf3c
└── [4.2K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。