CVE-2020-26876 Scanner
Detects 'Improper Access Control' vulnerability in wp-courses plugin for Wordpress affects v. through 2.0.27.
Short Info
Level
High
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 second
Time Interval
4 week
Scan only one
Url
Toolbox
-
The wp-courses plugin is a popular tool that can be utilized to create online course platforms in WordPress websites. This plugin allows website owners to offer video lessons and course materials to their users after payment. It simplifies the entire course creation and management process by providing an all-in-one solution that includes course progress tracking, online quizzes, student management, and more. The plugin makes it easy for website owners to monetize their expertise and offer their courses online.
However, the plugin has been identified with a critical vulnerability, CVE-2020-26876. This vulnerability can be exploited by remote attackers using the /wp-json REST API, by bypassing the payment step that is mandatorily meant to be completed before accessing the course video lessons and course materials. The attackers take advantage of the fact that show_in_rest is enabled for custom post types such as /wp-json/wp/v2/course and/wp-json/wp/v2/lesson. An attack of this type ultimately threatens the entire profit motive of the website owners.
Exploitation of this vulnerability can lead to an unauthorized leakage of video lessons and course materials that the website owners intend to monetize. Inevitably, this situation will cause financial losses to the website owners. This situation can also lead to the release of sensitive personal information of their users, which may significantly threaten user privacy and expose them to further risks.
Fortunately, the users of s4e.io will be able to identify and remediate such vulnerabilities quickly and easily. The platform offers advanced security features that detect and remediate potential vulnerabilities with ease. The users are provided with understanding, assurance, and potential solutions that help protect their digital assets and website against future attacks. To guarantee comprehensive protection, website owners are encouraged to visit s4e.io and investigate its pro features.
REFERENCES