Back to KEVs

CVE-2020-26876

The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended payment step (for course videos and materials) by...

Basic Information

CVE State
PUBLISHED
Reserved Date
October 07, 2020
Published Date
October 07, 2020
Last Updated
August 04, 2024
Vendor
n/a
Product
n/a
Description
The wp-courses plugin through 2.0.27 for WordPress allows remote attackers to bypass the intended payment step (for course videos and materials) by using the /wp-json REST API, as exploited in the wild in September 2020. This occurs because show_in_rest is enabled for custom post types (e.g., /wp-json/wp/v2/course and /wp-json/wp/v2/lesson exist).
Tags
wordpress nuclei_scanner

CVSS Scores

CVSS v3.1

7.5 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2.0

5.0

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploit Status

Exploited in the Wild
Yes (2020-10-07 16:56:25 UTC) Source

References

https://www.redtimmy.com/critical-information-disclosure-on-wp-courses-plugin-exposes-private-course-videos-and-materials/ https://plugins.trac.wordpress.org/changeset/2389243 https://plugins.trac.wordpress.org/changeset/2388997

Known Exploited Vulnerability Information

Source Added Date
CVE 2020-10-07 16:56:25 UTC

Scanner Integrations

Scanner URL Date Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2020/CVE-2020-26876.yaml 2025-04-26 00:00:00 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel

  • Detected by Nuclei