Description
Missing Authorization vulnerability in Automattic Sensei LMS sensei-lms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sensei LMS: from n/a through <= 4.24.4.
Published: 2025-03-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from incorrectly configured access control security levels in the Sensei LMS plugin for WordPress, allowing a missing authorization flaw measured as CWE-862. Attackers can bypass required authorization checks and access protected resources of the learning management system without any elevated privileges.

Affected Systems

Automattic’s Sensei LMS WordPress plugin, versions 4.24.4 and earlier, running on any WordPress site is affected. Sites that have not upgraded beyond version 4.24.4 remain at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, and the EPSS probability of less than 1 percent suggests exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Exploitation is expected to occur through standard web traffic that accesses protected content pages without proper access control checks, without requiring any special credentials.

Generated by OpenCVE AI on May 2, 2026 at 08:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Sensei LMS plugin to version 4.24.5 or newer.
  • Verify WordPress user roles and capabilities to ensure that only authorized users can access course materials and administrative pages.
  • Review any custom code or additional plugins that may alter Sensei LMS permissions and correct any insecure configurations.

Generated by OpenCVE AI on May 2, 2026 at 08:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8532 Missing Authorization vulnerability in Automattic Sensei LMS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sensei LMS: from n/a through 4.24.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Automattic Sensei LMS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sensei LMS: from n/a through 4.24.4. Missing Authorization vulnerability in Automattic Sensei LMS sensei-lms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sensei LMS: from n/a through <= 4.24.4.
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Fri, 28 Mar 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 21:30:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Automattic Sensei LMS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sensei LMS: from n/a through 4.24.4.
Title WordPress Sensei LMS plugin <= 4.24.4 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Automattic Sensei Lms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:06.125Z

Reserved: 2025-01-07T21:04:23.273Z

Link: CVE-2025-22740

cve-icon Vulnrichment

Updated: 2025-03-28T16:11:31.532Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T22:15:16.747

Modified: 2026-04-23T15:23:31.970

Link: CVE-2025-22740

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:45:38Z

Weaknesses