CVE-2024-1210: 
WordPress vulnerability analysis and mitigation

The LearnDash LMS plugin for WordPress contains a Sensitive Information Exposure vulnerability (CVE-2024-1210) affecting all versions up to and including 4.10.1. The vulnerability allows unauthenticated attackers to obtain access to quizzes through the API. This issue was discovered on December 25, 2023, and was patched in version 4.10.3 released on January 31, 2024 (GitHub Exploit).

The vulnerability exists due to improper access controls in the WordPress REST API endpoints. Specifically, the plugin publishes all quizzes and quiz questions for unauthenticated visitors through multiple API endpoints: /wp/v2/sfwd-question, /wp/v2/ld-exam, and /ldlms/v1/sfwd-quiz. The CVSS v3.1 score is 5.3 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (Wordfence Advisory).

The vulnerability allows unauthorized users to access and view all quiz content without being enrolled in the associated courses. This compromises the educational integrity of the platform since quiz questions intended to verify student knowledge become publicly accessible (GitHub Exploit).

The vulnerability has been fixed in LearnDash version 4.10.3. Site administrators should update to this version or later to protect their quiz content. While version 4.10.2 partially addressed some related issues, it did not fully resolve this vulnerability (GitHub Exploit).