CVE-2022-2080 Vulnerability Analysis & Exploit Details

CVE-2022-2080 Vulnerability Summary

CVE-2022-2080: The Sensei LMS WordPress plugin before 4.5.2 does not ensure that the sender of a private message is either the teacher or the original sender, allowing any authenticated user to send messages to arbitrary private conversation via a IDOR attack. Note: Attackers are not able to see responses/messages between the teacher and student

Exploit Prediction Scoring System (EPSS)

The EPSS score estimates the probability that this vulnerability will be exploited in the near future.

EPSS Score: 0.054% (probability of exploit)

EPSS Percentile: 25.64% (lower percentile = lower relative risk)
This vulnerability is less risky than approximately 74.36% of others.

CVE-2022-2080 References

External References

• https://hackerone.com/reports/1592596
• https://wpscan.com/vulnerability/5395d196-a39a-4a58-913e-5b5b9d6123a5
• https://hackerone.com/reports/1592596
• https://wpscan.com/vulnerability/5395d196-a39a-4a58-913e-5b5b9d6123a5

CWE Common Weakness Enumeration

Vulnerable Configurations

• cpe:2.3:a:automattic:sensei_lms:-:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:-:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:2.0.1:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:2.0.1:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:2.1.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:2.1.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:2.1.1:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:2.1.1:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:2.1.2:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:2.1.2:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:2.2.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:2.2.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:2.2.1:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:2.2.1:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:2.3.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:2.3.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:2.4.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:2.4.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.0.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.0.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.0.1:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.0.1:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.1.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.1.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.1.1:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.1.1:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.2.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.2.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.3.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.3.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.3.1:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.3.1:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.4.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.4.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.4.1:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.4.1:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.5.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.5.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.5.1:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.5.1:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.5.2:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.5.2:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.5.3:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.5.3:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.6.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.6.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.6.1:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.6.1:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.7.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.7.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.8.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.8.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.8.1:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.8.1:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.9.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.9.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.9.1:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.9.1:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.10.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.10.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.11.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.11.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.11.1:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.11.1:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.12.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.12.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.13.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.13.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.13.1:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.13.1:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.13.2:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.13.2:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.13.3:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.13.3:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.14.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.14.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.15.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.15.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.15.1:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.15.1:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:3.15.2:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:3.15.2:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:4.0.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:4.0.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:4.0.1:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:4.0.1:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:4.0.2:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:4.0.2:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:4.1.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:4.1.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:4.1.1:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:4.1.1:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:4.2.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:4.2.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:4.3.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:4.3.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:4.4.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:4.4.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:4.4.1:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:4.4.1:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:4.4.2:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:4.4.2:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:4.4.3:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:4.4.3:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:4.5.0:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:4.5.0:*:*:*:*:wordpress:*:*
• cpe:2.3:a:automattic:sensei_lms:4.5.1:*:*:*:*:wordpress:*:*
  cpe:2.3:a:automattic:sensei_lms:4.5.1:*:*:*:*:wordpress:*:*

Other 5 Recently Published CVEs Vulnerabilities

• CVE-2025-3284 – The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Cross-Site Reques...
• CVE-2025-3278 – The UrbanGo Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.4. This is due to the plugi...
• CVE-2025-2010 – The JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin plugin for WordPress is vulnerable to SQL Injection via the 'jobwp_upload_re...
• CVE-2025-43903 – NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries.
• CVE-2025-3796 – A vulnerability classified as critical has been found in PHPGurukul Men Salon Management System 1.0. This affects an unknown part of the file /admi...