EUVD-2026-12184Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
The Thim Kit for Elementor - Pre-built Templates & Widgets for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing validation checks on the 'thim-ekit/archive-course/get-courses' REST endpoint callback function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to disclose private or draft LearnPress course content by supplying post_status in the params_url payload.
AnalysisAI
The Thim Kit for Elementor plugin for WordPress versions up to 1.3.7 allows unauthenticated attackers to access private and draft LearnPress course content through an improperly secured REST API endpoint that accepts arbitrary post status parameters. The vulnerability stems from missing input validation on the 'thim-ekit/archive-course/get-courses' endpoint, enabling information disclosure to any remote attacker without authentication or user interaction. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Vulnerability AssessmentAI
| Risk Assessment | The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) indicates network-accessible attack surface with low complexity and no privilege requirements, yielding a moderate 5.3 base score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker performs reconnaissance on a WordPress site running Thim Kit for Elementor and LearnPress, discovering the REST API endpoint via enumeration. The attacker crafts a simple HTTP GET request to /wp-json/thim-ekit/archive-course/get-courses?post_status=draft to retrieve all draft courses, exposing course titles, descriptions, and curriculum details before they are published. … |
| Remediation | Upgrade Thim Kit for Elementor to version 1.3.8 or later immediately through the WordPress plugin dashboard or direct download from the vendor. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new u
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline
The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outp
The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthen
Share
External POC / Exploit Code
Leaving vuln.today