CVE-2020-26876

CVE-2020-26876 – WordPress WP Courses Plugin up to version 2.0.27/2.0.29 suffers an information-disclosure via the REST API. The issue stems from show_in_rest being enabled for custom post types, allowing access to private course videos and materials through endpoints like /wp-json/wp/v2/course o...