CVE-2024-1208: 
WordPress vulnerability analysis and mitigation

The LearnDash LMS plugin for WordPress contains a Sensitive Information Exposure vulnerability (CVE-2024-1208) affecting all versions up to and including 4.10.2. The vulnerability was discovered by Karl Emil Nikka from Nikka Systems and was publicly disclosed on February 5, 2024. This security flaw allows unauthenticated attackers to access quiz questions through the API (GitHub Exploit).

The vulnerability exists due to improper access controls in the WordPress REST API endpoints. Unauthenticated visitors can access quiz content through multiple API endpoints: /wp/v2/sfwd-question, /wp/v2/ld-exam, and /ldlms/v1/sfwd-quiz. The vulnerability has been assigned a CVSS v3.1 score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (Wordfence Advisory).

The vulnerability allows unauthorized users to view all LearnDash quizzes and quiz questions without being enrolled in the associated courses. This exposure compromises the integrity of the assessment system as quiz questions become publicly accessible, making them ineffective for verifying student knowledge (GitHub Exploit).

The vulnerability has been patched in LearnDash version 4.10.3, released on January 31, 2024. Users are strongly advised to update to this version or later to protect their quiz content. While the /ldlms/v1/ and /ldlms/v2/ APIs can be disabled using the learndashrestapi_enabled filter, this is not recommended as it may lead to additional data exposure through the /wp/v2/ API (LearnDash Release).