CVE-2024-5784

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized administrative actions execution due to a missing capability checks on multiple functions like treport_quiz_atttempt_delete and tutor_gc_class_action in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with the subscriber-level access and above, to preform an administrative actions on the site, like comments, posts or users deletion, viewing notifications, etc.
Configurations

Configuration 1 (hide)

cpe:2.3:a:tutorlms:tutor_lms_pro:*:*:*:*:*:wordpress:*:*

History

03 Sep 2024, 14:48

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 7.1
v2 : unknown
v3 : 6.3
First Time Tutorlms tutor Lms Pro
Tutorlms
CPE cpe:2.3:a:tutorlms:tutor_lms_pro:*:*:*:*:*:wordpress:*:*
References () https://tutorlms.com/releases/id/299/ - () https://tutorlms.com/releases/id/299/ - Release Notes
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/aa5c23ed-7239-40e1-a795-1ae8d4c2d6c8?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/aa5c23ed-7239-40e1-a795-1ae8d4c2d6c8?source=cve - Third Party Advisory
Summary
  • (es) El complemento Tutor LMS Pro para WordPress es vulnerable a la ejecución de acciones administrativas no autorizadas debido a la falta de comprobaciones de capacidad en varias funciones como treport_quiz_atttempt_delete y tutor_gc_class_action en todas las versiones hasta la 2.7.2 incluida. Esto permite que atacantes autenticados, con acceso de nivel de suscriptor o superior, realicen acciones administrativas en el sitio, como comentarios, eliminación de publicaciones o usuarios, visualización de notificaciones, etc.

30 Aug 2024, 04:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-08-30 04:15

Updated : 2024-09-03 14:48


NVD link : CVE-2024-5784

Mitre link : CVE-2024-5784

CVE.ORG link : CVE-2024-5784


JSON object : View

Products Affected

tutorlms

  • tutor_lms_pro
CWE
CWE-862

Missing Authorization