CVE-2024-4318

The Tutor LMS plugin for WordPress is vulnerable to time-based SQL Injection via the ‘questionid’ parameter in versions up to, and including, 2.7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

CVE-2024-4318

The Tutor LMS plugin for WordPress is vulnerable to time-based SQL Injection via the ‘questionid’ parameter in versions up to, and including, 2.7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

CVE-2024-4279

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutorcoursedelete' function due to missing validation on a user controlled key. This can allow...

CVE-2024-4279

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutorcoursedelete' function due to missing validation on a user controlled key. This can allow...

CVE-2024-4318

CVE-2024-4318 (Tutor LMS – WordPress) is a time-based SQL Injection in Tutor LMS up to and including version 2.7.0 via the question_id parameter, caused by insufficient escaping and improper query preparation. Exploitation is possible by authenticated users with Instructor-level permissions and h...

CVE-2024-4279 Tutor LMS – eLearning and online course solution <= 2.7.0 - Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Course Deletion

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutorcoursedelete' function due to missing validation on a user controlled key. This can allow...

CVE-2024-4279

Summary: CVE-2024-4279 affects Tutor LMS – eLearning and online course solution for WordPress. An insecure direct object reference vulnerability exists in the tutor_course_delete function caused by missing validation on a user-controlled key, enabling an authenticated attacker with Instructor-lev...

WordPress Tutor LMS plugin <= 2.7.0 - Missing Authorization vulnerability

Missing Authorization vulnerability discovered by villu164 in WordPress Plugin Tutor LMS versions = 2.7.0...

WordPress Tutor LMS Pro plugin <= 2.7.0 - Missing Authorization to SQL Injection vulnerability

Missing Authorization to SQL Injection vulnerability discovered by villu164 in WordPress Plugin Tutor LMS Pro versions = 2.7.0...

WordPress Tutor LMS Pro plugin <= 2.7.0 - Missing Authorization vulnerability

Missing Authorization vulnerability discovered by villu164 in WordPress Plugin Tutor LMS Pro versions = 2.7.0...

WordPress Tutor LMS plugin <= 2.7.0 - Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Course Deletion vulnerability

Authenticated Instructor+ Insecure Direct Object Reference to Arbitrary Course Deletion vulnerability discovered by Thanh Nam Tran in WordPress Plugin Tutor LMS versions = 2.7.0...

WordPress Tutor LMS Pro plugin <= 2.7.0 - Missing Authorization to Privilege Escalation vulnerability

Missing Authorization to Privilege Escalation vulnerability discovered by villu164 in WordPress Plugin Tutor LMS Pro versions = 2.7.0...

WordPress Tutor LMS plugin <= 2.7.0 - Authenticated (Instructor+) SQL Injection vulnerability

Authenticated Instructor+ SQL Injection vulnerability discovered by Thanh Nam Tran in WordPress Plugin Tutor LMS versions = 2.7.0...

WordPress Tutor LMS Plugin <= 2.7.0 is vulnerable to Broken Access Control

Software Tutor LMS Type Plugin Vulnerable versions = 2.7.0 Fixed in 2.7.1 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-4223 Patch priority High CVSS severity High 8.6 Developer Claim ownership PSID 86348e33f1ae Credits villu164 Required privilege...

WordPress Tutor LMS Pro Plugin <= 2.7.0 is vulnerable to Broken Access Control

Software Tutor LMS Pro Type Plugin Vulnerable versions = 2.7.0 Fixed in 2.7.1 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2024-4352 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID 7694afbc9e58 Credits villu164 Required privilege...

WordPress Tutor LMS Pro Plugin <= 2.7.0 is vulnerable to Broken Access Control

Software Tutor LMS Pro Type Plugin Vulnerable versions = 2.7.0 Fixed in 2.7.1 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2024-4222 Patch priority High CVSS severity High 7.3 Developer Claim ownership PSID 2853424c7113 Credits villu164 Required privilege...

WordPress Tutor LMS Plugin <= 2.7.0 is vulnerable to Insecure Direct Object References (IDOR)

Software Tutor LMS Type Plugin Vulnerable versions = 2.7.0 Fixed in 2.7.1 OWASP Top 10 A1: Broken Access Control Classification Insecure Direct Object References IDOR CVE CVE-2024-4279 Patch priority Low CVSS severity Low 4.9 Developer Claim ownership PSID b3b3270c166a Credits Thanh Nam Tran...

WordPress Tutor LMS Pro Plugin <= 2.7.0 is vulnerable to Privilege Escalation

Software Tutor LMS Pro Type Plugin Vulnerable versions = 2.7.0 Fixed in 2.7.1 OWASP Top 10 A7: Identification and Authentication Failures Classification Privilege Escalation CVE CVE-2024-4351 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID fc3d215c9303 Credits villu164...

WordPress plugin Tutor LMS 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

VulnCheck KEV: CVE-2024-4351

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'authenticate' function in all versions up to, and including, 2.7.0. This makes it possible for authenticated attackers, with...