CVE-2024-4222Missing Authorization in Tutor LMS

CWE-862Missing Authorization3 documents3 sources
Severity
8.2HIGHNVD
CNA7.3
EPSS
0.6%
top 31.09%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Themeum Tutor LMSThemeum Tutor LMS PRO
Timeline
PublishedMay 16

Description

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:NExploitability: 3.9 | Impact: 4.2

Affected Packages2 packages

NVDthemeum/tutor_lms< 2.7.1
CVEListV5themeum/tutor_lms_pro2.7.0

🔴Vulnerability Details

2
GHSA
GHSA-q4ff-pq82-jv6g: The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability ch2024-05-16
CVEList
Tutor LMS Pro <= 2.7.0 - Missing Authorization2024-05-16
CVE-2024-4222 — Missing Authorization in Tutor LMS | cvebase