CVE-2021-24242

🗓️ 22 Apr 2021 21:00:51Reported by WPScanType

cve🔗 web.nvd.nist.gov📰️ 4 Media mentions👁 48 Views🌐 WEB

The Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.8 is affected by a local file inclusion vulnerability through the maliciously constructed sub_page parameter of the plugin's Tools, allowing high privilege users to include any local php fil

Reporter	Title	Published	Views	Family All 10
CNNVD	WordPress 路径遍历漏洞	22 Apr 202100:00	–	cnnvd
CNVD	WordPress path traversal vulnerability (CNVD-2021-44306)	28 Apr 202100:00	–	cnvd
Cvelist	CVE-2021-24242 Tutor LMS < 1.8.8 - Authenticated Local File Inclusion	22 Apr 202121:00	–	cvelist
EUVD	EUVD-2021-11156	7 Oct 202500:30	–	euvd
NVD	CVE-2021-24242	22 Apr 202121:15	–	nvd
Patchstack	WordPress Tutor LMS plugin <= 1.8.7 - Authenticated Local File Inclusion vulnerability	5 Apr 202100:00	–	patchstack
Prion	Arbitrary file deletion	22 Apr 202121:15	–	prion
RedhatCVE	CVE-2021-24242	22 May 202521:04	–	redhatcve
wpexploit	Tutor LMS < 1.8.8 - Authenticated Local File Inclusion	5 Apr 202100:00	–	wpexploit
WPVulnDB	Tutor LMS < 1.8.8 - Authenticated Local File Inclusion	5 Apr 202100:00	–	wpvulndb

NVD

Vulners

Node

themeum tutor_lmsRange<1.8.8wordpress

[
  {
    "product": "Tutor LMS – eLearning and online course solution",
    "vendor": "Themeum",
    "versions": [
      {
        "lessThan": "1.8.8",
        "status": "affected",
        "version": "1.8.8",
        "versionType": "custom"
      }
    ]
  }
]

Source	Link
wpscan	www.wpscan.com/vulnerability/20f3e63a-31d8-49a0-b4ef-209749feff5c

Parameter	Position	Path	Description	CWE
sub_page	query param	wp-admin/admin.php?page=tutor-tools&sub_page=..%2F..%2F..%2F..%2F..%2F..%2Findex	Local File Inclusion via malicious sub_page parameter in Tutor LMS Tools leads to inclusion of local PHP files (high-privilege impact).	CWE-22

21 Nov 2024 05:52Current

3.9Low risk

Vulners AI Score3.9

CVSS 3.13.8

CVSS 25.5

EPSS0.00224

CWE-22