Bijingus

**Name of the Vulnerable Software and Affected Versions** wp-courses plugin versions prior to 2.0.28 **Description** The issue allows remote attackers to bypass the intended payment step for course videos and materials. This is achieved by utilizing the `/wp-json` REST API, with `show in rest` enabled for custom post types, such as `/wp-json/wp/v2/course` and `/wp-json/wp/v2/lesson`. The issue has been exploited in the wild. **Recommendations** For wp-courses plugin versions prior to 2.0.28, update to version 2.0.28 or later to resolve the issue. As a temporary workaround, consider disabling the REST API endpoints `/wp-json/wp/v2/course` and `/wp-json/wp/v2/lesson` until the update is applied.