CVE-2024-3553 — Missing Authorization in Tutor LMS

CWE-862 — Missing Authorization3 documents3 sources

Severity

6.5MEDIUMNVD

EPSS

0.3%

top 46.81%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Themeum Tutor LMS Themeum Tutor LMS Elearning AND Online Course Solution

Timeline

PublishedMay 2

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the hide_notices function in all versions up to, and including, 2.6.2. This makes it possible for unauthenticated attackers to enable user registration on sites that may have it disabled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:NExploitability: 3.9 | Impact: 2.5

Affected Packages2 packages

▶CVEListV5themeum/tutor_lms_elearning_and_online_course_solution2.6.2

▶NVDthemeum/tutor_lms< 2.7.0

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

CVEList

Tutor LMS <= 2.6.2 - Missing Authorization to Unauthenticated Limited Options Update↗2024-05-02

▶

GHSA

GHSA-576v-pqr8-c2mq: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capabili↗2024-05-02

▶