Tutor LMS < 2.6.1 - Missing Authorization

2024-02-2000:00:00

wpscan.com

tutor lms

elearning

wordpress

vulnerability

unauthorized access

q&a

capability check

authenticated attackers

subscriber access

private courses

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

6.2

Confidence

High

EPSS

Percentile

9.0%

JSON

Description The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of restricted Q&A; content due to a missing capability check when interacting with questions in all versions up to, and including, 2.6.0. This makes it possible for authenticated attackers, with subscriber access or higher, to interact with questions in courses in which they are not enrolled including private courses.