CVE-2024-10393 — Improper Access Control in Tutor LMS Elearning AND Online Course Solution

CWE-284 — Improper Access Control CWE-862 — Missing Authorization3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.1%

top 68.67%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Themeum Tutor LMS Elearning AND Online Course Solution Themeum Tutor LMS

Timeline

PublishedNov 21

Latest updateJan 23

Description

The Tutor LMS plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 2.7.6. This is due to a missing check for the 'users_can_register' option in the 'register_instructor' function. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDthemeum/tutor_lms2.7.6

▶CVEListV5themeum/tutor_lms_elearning_and_online_course_solution2.7.6

Patches

Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-j3xj-pjxr-9p6c: The Tutor LMS plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 2↗2025-01-23

▶

CVEList

Tutor LMS <= 2.7.6 - User Registration Setting Bypass to Unauthorized User Registration↗2024-11-21

▶