CVE-2024-4223 — Missing Authorization in Tutor LMS

CWE-862 — Missing Authorization3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

2.2%

top 15.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Themeum Tutor LMS Themeum Tutor LMS Elearning AND Online Course Solution

Timeline

PublishedMay 16

Description

The Tutor LMS plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to add, modify, or delete data.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDthemeum/tutor_lms< 2.7.1

▶CVEListV5themeum/tutor_lms_elearning_and_online_course_solution2.7.0

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

CVEList

Tutor LMS <= 2.7.0 - Missing Authorization↗2024-05-16

▶

GHSA

GHSA-xmv2-92jh-84fp: The Tutor LMS plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check↗2024-05-16

▶