{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/information-exposure/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-13765"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["LearnPress – WordPress LMS Plugin for Create and Sell Online Courses \u003c= 4.4.1"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","vulnerability","information-exposure","web"],"_cs_type":"advisory","_cs_vendors":["ThimPress"],"content_html":"\u003cp\u003eA critical sensitive information exposure vulnerability, identified as CVE-2026-13765, exists in the LearnPress - WordPress LMS Plugin for Create and Sell Online Courses, affecting all versions up to and including 4.4.1. This flaw, present in the \u003ccode\u003echeck_answer\u003c/code\u003e functionality, allows unauthenticated attackers to bypass authorization controls and extract highly sensitive information. This includes correct answer markers, full option lists, detailed explanations, and the content of any quiz question hosted on the site. The impact extends to questions belonging to paid courses, enabling attackers to obtain valuable educational content without enrollment or payment. The vulnerability stems from missing authorization checks (CWE-862) within the plugin's code, enabling a direct attack against web applications utilizing the plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress website running the vulnerable LearnPress plugin.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP GET or POST request targeting a LearnPress endpoint associated with quiz functionality, specifically invoking the \u003ccode\u003echeck_answer\u003c/code\u003e logic.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes parameters identifying a specific quiz and question, such as \u003ccode\u003equiz_id\u003c/code\u003e and \u003ccode\u003equestion_id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to a missing authorization check, the LearnPress plugin processes the request without verifying the attacker's authentication or enrollment status for the course.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003echeck_answer\u003c/code\u003e function executes and, instead of merely validating an answer, inadvertently retrieves and exposes sensitive details about the question and its solution.\u003c/li\u003e\n\u003cli\u003eThe web server returns an HTTP 200 OK response containing the quiz question's correct answer, the complete list of options, the explanation, and the question content.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the response to successfully extract the sensitive educational content, including details from paid courses they are not enrolled in.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-13765 leads to a significant compromise of intellectual property and the integrity of online educational content. Attackers can obtain full quiz solutions, including correct answers, alternative options, and detailed explanations, for any quiz on the platform. This bypasses paywalls and enrollment requirements for paid courses, effectively devaluing the educational offerings and potentially leading to lost revenue for course creators and organizations. The exposure also allows malicious actors to distribute answers, facilitating cheating, and undermining the academic integrity of institutions relying on the LearnPress plugin.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-13765 immediately by updating the LearnPress plugin to version 4.4.2 or higher.\u003c/li\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetects CVE-2026-13765 Exploitation - LearnPress Information Exposure Attempt\u003c/code\u003e Sigma rule to your SIEM and monitor webserver logs for suspicious access patterns to LearnPress quiz-related endpoints.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive web server logging for HTTP requests, including URI stems and query parameters, to facilitate detection and investigation of exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T05:19:31Z","date_published":"2026-07-17T05:19:31Z","id":"https://feed.craftedsignal.io/briefs/2026-07-learnpress-info-exposure/","summary":"An unauthenticated sensitive information exposure vulnerability (CVE-2026-13765) in the LearnPress - WordPress LMS Plugin for Create and Sell Online Courses, versions up to 4.4.1, allows attackers to extract quiz answers, options, explanations, and question content, including for paid courses.","title":"Sensitive Information Exposure in LearnPress WordPress Plugin (CVE-2026-13765)","url":"https://feed.craftedsignal.io/briefs/2026-07-learnpress-info-exposure/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-62386"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Grav API plugin (\u003c 1.0.0-rc.16)","grav-plugin-api (\u003c 1.0.0-rc.16)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","web","api","jwt","information-exposure","grav"],"_cs_type":"advisory","_cs_vendors":["getgrav"],"content_html":"\u003cp\u003eA critical vulnerability, tracked as CVE-2026-62386, has been identified in the Grav API plugin (getgrav/grav-plugin-api) affecting all versions prior to 1.0.0-rc.16. This flaw allows JWT access tokens to be submitted and processed via the \u003ccode\u003e?token=\u003c/code\u003e URL query parameter across all API routes. This method of token submission inherently exposes sensitive admin access tokens, as they are logged verbatim in web server access logs, stored in browser history, and can be leaked via the Referer HTTP header or captured by upstream proxy and CDN logs. This widespread exposure of valid admin tokens grants unauthorized individuals full API access, enabling them to read sensitive configuration files and user data, create new administrator accounts, modify critical system settings, and delete pages. The vulnerability poses a significant risk to the integrity and confidentiality of Grav-based websites.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Grav API endpoint susceptible to the \u003ccode\u003e?token=\u003c/code\u003e parameter vulnerability.\u003c/li\u003e\n\u003cli\u003eA valid JWT admin access token for the Grav API is acquired through passive means (e.g., from web server access logs, browser history, proxy/CDN logs, or HTTP Referer header leakage).\u003c/li\u003e\n\u003cli\u003eThe attacker constructs a malicious HTTP request to a Grav API endpoint, embedding the leaked JWT token in the \u003ccode\u003e?token=\u003c/code\u003e URL query parameter.\u003c/li\u003e\n\u003cli\u003eThe Grav API processes the request, authenticating the attacker with the legitimate admin token.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds to read sensitive configuration and user data from the Grav system via authenticated API calls.\u003c/li\u003e\n\u003cli\u003eUtilizing API functionality, the attacker creates new administrative user accounts to establish persistence within the Grav environment.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies critical system settings or configuration parameters via API calls to further control the application.\u003c/li\u003e\n\u003cli\u003eFinally, the attacker deletes content, such as pages, or performs other destructive actions, achieving unauthorized control and data manipulation within the Grav instance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-62386 can lead to severe consequences for affected Grav instances. Unauthorized individuals gaining access to valid admin JWT tokens can bypass authentication mechanisms and achieve full control over the Grav API. This can result in the complete compromise of data confidentiality through the reading of sensitive configuration and user data, including potentially private content. Furthermore, the ability to create new administrator accounts and modify system settings grants attackers persistent access and potential privilege escalation, allowing them to subvert the website's functionality and integrity. The deletion of pages represents a direct impact on data availability and can lead to significant reputational damage or operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-62386 immediately by upgrading the Grav API plugin to version 1.0.0-rc.16 or higher.\u003c/li\u003e\n\u003cli\u003eReview web server access logs, proxy logs, and CDN logs for any instances of \u003ccode\u003e?token=\u003c/code\u003e parameters in URL paths, which could indicate prior or ongoing token exposure.\u003c/li\u003e\n\u003cli\u003eConfigure web server logging to filter or redact sensitive URL query parameters (specifically \u003ccode\u003etoken=\u003c/code\u003e) to prevent future leakage, even after patching.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM to detect attempts to exploit this vulnerability or unusual token usage patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T02:41:05Z","date_published":"2026-07-17T02:41:05Z","id":"https://feed.craftedsignal.io/briefs/2026-07-grav-api-jwt-leak/","summary":"The Grav API plugin (getgrav/grav-plugin-api) before version 1.0.0-rc.16 is vulnerable to sensitive information exposure, accepting JWT access tokens via the '?token=' URL query parameter, causing these tokens to be logged in web server access logs, browser history, and potentially leaked through Referer headers, proxy, or CDN logs, which allows an attacker to gain unauthorized API access, read configuration and user data, create new admin accounts, modify system settings, and delete pages.","title":"Grav API Plugin Vulnerability Exposes JWT Access Tokens via URL Parameter","url":"https://feed.craftedsignal.io/briefs/2026-07-grav-api-jwt-leak/"}],"language":"en","title":"CraftedSignal Threat Feed - Information-Exposure","version":"https://jsonfeed.org/version/1.1"}