Unauthorized Access to Data in Tutor LMS Plugin for WordPress

CVE-2024-4223

9.8CRITICAL

Key Information

Vendor: Themeum
Status: Tutor Lms – Elearning And Online Course Solution
Vendor: CVE Published:; 16 May 2024

Summary

The Tutor LMS plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to add, modify, or delete data.

Affected Version(s)

Tutor LMS – eLearning and online course solution <= 2.7.0

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
May 16, 2024
Disclosed
May 15, 2024
Vulnerability Reserved.
Apr 26, 2024

Collectors

NVD DatabaseMitre Database

Credit

Villu Orav