Unauthorized Access to Data in Tutor LMS Plugin for WordPress
CVE-2024-4223

9.8CRITICAL

Key Information:

Vendor: Themeum
Status: Tutor Lms – Elearning And Online Course Solution
Vendor: CVE Published:; 16 May 2024

Summary

The Tutor LMS plugin for WordPress is susceptible to unauthorized data access due to a missing capability check across multiple functions. This vulnerability allows unauthenticated attackers the ability to add, modify, or delete data. The issue affects all versions of the Tutor LMS plugin up to and including version 2.7.0, posing significant risks for WordPress users who rely on this plugin for their educational platforms.

Affected Version(s)

Tutor LMS – eLearning and online course solution * <= 2.7.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3086489/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 16, 2024
Vulnerability Reserved
Apr 26, 2024

Credit

Villu Orav