Sensitive Information Exposure via assignments in LearnDash. Unauthenticated visitors can browse and download uploaded assignments.
- Vulnerability: CVE-2024-1209 Sensitive Information Exposure via assignments
- CVSS: 5.3 (Medium)
- Software: LearnDash (sfwd-lms)
- Affected versions: <= 4.10.1
- Patched version: 4.10.2 (partially), 4.10.3 (fully)
- Developer: LearnDash
- Researcher: Karl Emil Nikka, Nikka Systems
- Publicly published: 2024-02-05
- Last updated: 2024-02-05
Anyone, including unauthenticated visitors, can see all uploaded LearnDash assignments. Since the assignments are public, anyone who knows about this vulnerability can read the uploaded documents (causing potential GDPR incidents). The vulnerability can be exploited without having an account on the website.
LearnDash is a Learning Management System plugin for WordPress.
The affected versions of LearnDash (<=4.10.1) store uploaded assignment files in folders without access protection. When a user uploads an assignment file, LearnDash puts the file in /wp-content/uploads/assignments/. The file keeps its original name, though it is prefixed with the post ID from where it was uploaded and the Unix time stamp.
LearnDash has three REST APIs: /wp/v2/, /ldlms/v1/, and /ldlms/v2/ (currently in beta). All APIs, including the beta API, are enabled by default. The /ldlms/v1/ and /ldlms/v2/ APIs can be disabled for specific post types using the learndash_rest_api_enabled filter (see class-ld-rest-api.php).
Anyone, including unauthenticated visitors, can download any uploaded assignment file by just knowing the file’s name.
LearnDash appends a time stamp to every uploaded file’s name to make it harder to guess the name, but timestamps are brute-forceable. Unfortunately, an unauthenticated visitor who wants to read uploaded assignments doesn’t even have to brute-force any file names. The affected versions of LearnDash (<=4.10.1) publish all submitted assignments for unauthenticated visitors over the REST API. All a visitor has to do is to call the endpoint for sfwd-assignment over the /wp/v2/ REST API. The reply includes paths to the uploaded files, and the visitor can download them without signing in.
https://example.com/wp-json/wp/v2/sfwd-assignment
LearnDash 4.10.2 was released on 2024-01-08. It addressed the issue with assignment file paths leaking through the REST API. CVE-2024-1208 and CVE-2024-1210 persisted.
LearnDash 4.10.3 was released on 2024-01-31. It moved the file storage location to a protected folder and introduced dynamic download links to prohibit unauthorized access.
- 2023-12-25 I reported CVE-2024-1208, CVE-2024-1209 and CVE-2024-1210 to LearnDash’s support (according to Project Zero’s 90-day responsible disclosure policy). I included all three vulnerabilities in the same report. The vulnerabilities were later broken up and assigned three different CVE IDs by Wordfence.
- 2023-12-25 I submitted the vulnerability to Wordfence’s CNA. I declined participating in their bug-bounty program.
- 2023-12-27 LearnDash’s support replied and confirmed they had passed the report to the developers.
- 2024-01-03 LearnDash confirmed the vulnerability.
- 2024-01-04 LearnDash reached out to let me know they would prioritize fixing the assignments vulnerability.
- 2024-01-08 LearnDash released LearnDash 4.10.2, partially addressing CVE-2024-1209 by no longer exposing all uploaded assignments through the REST API. CVE-2024-1208 and CVE-2024-1210 persisted.
- 2024-01-31 LearnDash released LearnDash 4.10.3, successfully addressing the remaining parts of all three vulnerabilities.
- 2024-02-02 Wordfence added the vulnerability to the CVE database.
- 2024-02-05 I published this report.
LearnDash handled the vulnerability report well and addressed the vulnerability within the 90-day responsible disclosure window.