The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized administrative actions execution due to a missing capability checks on multiple functions like treport_quiz_atttempt_delete and tutor_gc_class_action in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with the subscriber-level access and above, to preform an administrative actions on the site, like comments, posts or users deletion, viewing notifications, etc.
References
Link | Resource |
---|---|
https://tutorlms.com/releases/id/299/ | Release Notes |
https://www.wordfence.com/threat-intel/vulnerabilities/id/aa5c23ed-7239-40e1-a795-1ae8d4c2d6c8?source=cve | Third Party Advisory |
Configurations
History
03 Sep 2024, 14:48
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.3 |
First Time |
Tutorlms tutor Lms Pro
Tutorlms |
|
CPE | cpe:2.3:a:tutorlms:tutor_lms_pro:*:*:*:*:*:wordpress:*:* | |
References | () https://tutorlms.com/releases/id/299/ - Release Notes | |
References | () https://www.wordfence.com/threat-intel/vulnerabilities/id/aa5c23ed-7239-40e1-a795-1ae8d4c2d6c8?source=cve - Third Party Advisory | |
Summary |
|
30 Aug 2024, 04:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-08-30 04:15
Updated : 2024-09-03 14:48
NVD link : CVE-2024-5784
Mitre link : CVE-2024-5784
CVE.ORG link : CVE-2024-5784
JSON object : View
Products Affected
tutorlms
- tutor_lms_pro
CWE
CWE-862
Missing Authorization