CVE-2024-4351 — SQL Injection in Tutor LMS

CWE-89 — SQL Injection CWE-862 — Missing Authorization4 documents4 sources

Severity

8.8HIGHNVD

EPSS

31.0%

top 3.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Themeum Tutor LMS Themeum Tutor LMS PRO

Timeline

PublishedMay 16

Description

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'authenticate' function in all versions up to, and including, 2.7.0. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to gain control of an existing administrator account.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDthemeum/tutor_lms< 2.7.1

▶CVEListV5themeum/tutor_lms_pro2.7.0

🔴Vulnerability Details

CVEList

Tutor LMS Pro <= 2.7.0 - Missing Authorization to Privilege Escalation↗2024-05-16

▶

GHSA

GHSA-2cvr-cjfw-9xmv: The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability ch↗2024-05-16

▶

VulnCheck

Tutor LMS Pro plugin for WordPress authenticate function Vulnerability↗2024

▶