CVE-2024-1209: 
WordPress vulnerability analysis and mitigation

The LearnDash LMS plugin for WordPress contains a Sensitive Information Exposure vulnerability (CVE-2024-1209) affecting all versions up to and including 4.10.1. The vulnerability was discovered and reported by Karl Emil Nikka, and was publicly disclosed on February 5, 2024. The issue affects the WordPress plugin's handling of uploaded assignments, where insufficient protection of these files makes them accessible to unauthenticated attackers (NVD, GitHub POC).

The vulnerability stems from LearnDash's storage of uploaded assignment files in unprotected folders within the /wp-content/uploads/assignments/ directory. While the files are renamed with a post ID prefix and Unix timestamp, they remain publicly accessible. The vulnerability is exposed through the WordPress REST API endpoint /wp/v2/sfwd-assignment, which reveals paths to uploaded files to unauthenticated visitors. The vulnerability has been assigned a CVSS v3.1 score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (GitHub POC).

The vulnerability allows unauthenticated attackers to access and download any uploaded assignment files. This could lead to exposure of sensitive information contained in student assignments and potentially cause GDPR compliance issues. The vulnerability can be exploited without requiring an account on the affected website (GitHub POC).

The vulnerability has been patched in two stages. LearnDash version 4.10.2 partially addressed the issue by preventing assignment file paths from leaking through the REST API. Version 4.10.3, released on January 31, 2024, fully resolved the vulnerability by moving file storage to a protected folder and implementing dynamic download links to prevent unauthorized access. Users are advised to upgrade to version 4.10.3 or later (LearnDash Release Notes, GitHub POC).