Lucene search

[email protected]NVD:CVE-2024-5784

HistoryAug 30, 2024 - 4:15 a.m.

CVE-2024-5784

2024-08-3004:15:08

CWE-862

[email protected]

web.nvd.nist.gov

vulnerable

wordpress

tutor lms

CVSS3

6.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

EPSS

Percentile

14.1%

JSON

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized administrative actions execution due to a missing capability checks on multiple functions like treport_quiz_atttempt_delete and tutor_gc_class_action in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with the subscriber-level access and above, to preform an administrative actions on the site, like comments, posts or users deletion, viewing notifications, etc.

Affected configurations

Nvd

Node

tutorlmstutor_lms_proRange<2.7.3wordpress

VendorProductVersionCPE
tutorlmstutor_lms_pro*cpe:2.3:a:tutorlms:tutor_lms_pro:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
tutorlms	tutor_lms_pro	*	cpe:2.3:a:tutorlms:tutor_lms_pro::::::wordpress::*

References

tutorlms.com/releases/id/299/

www.wordfence.com/threat-intel/vulnerabilities/id/aa5c23ed-7239-40e1-a795-1ae8d4c2d6c8?source=cve