CVE-2024-5784Missing Authorization in Tutor LMS

CWE-862Missing Authorization3 documents3 sources
Severity
7.1HIGHNVD
EPSS
0.7%
top 28.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Themeum Tutor LMSThemeum Tutor LMS PRO
Timeline
PublishedAug 30

Description

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized administrative actions execution due to a missing capability checks on multiple functions like treport_quiz_atttempt_delete and tutor_gc_class_action in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with the subscriber-level access and above, to preform an administrative actions on the site, like comments, posts or users deletion, viewing notifications, etc.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:NExploitability: 2.8 | Impact: 4.2

Affected Packages2 packages

NVDthemeum/tutor_lms< 2.7.3
CVEListV5themeum/tutor_lms_pro2.7.2

🔴Vulnerability Details

2
GHSA
GHSA-88qq-rx45-9fwm: The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized administrative actions execution due to a missing capability checks on multiple f2024-08-30
CVEList
Tutor LMS Pro <= 2.7.2 - Missing Authorization to Authenticated (Subscriber+) Insecure Direct Object Reference2024-08-30
CVE-2024-5784 — Missing Authorization in Tutor LMS | cvebase