# Exploit Title: WP Courses < 2.0.29 - Broken Access Controls leading to 
Courses Content Disclosure
# Exploit Author: Stefan Broeder, Marco Ortisi (redtimmysec)
# Authors blog:
# Vendor Homepage:
# Version Vulnerable: < 2.0.29
# CVE: (requested but not assigned yet)

WP Courses plugin < 2.0.29 does not protect the courses which could be 
accessed by unauthenticated users using the REST API (/wp-jon/) 
endpoints (for example /wp-json/wp/v2/lesson/{lesson_id}) This could 
result in attackers accessing paying content without authorization.

Full story here: