Unauthorized Access to Data in Tutor LMS Pro Plugin for WordPress
CVE-2024-4351

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Tutor Lms Pro
Vendor: CVE Published:; 16 May 2024

Summary

The Tutor LMS Pro plugin for WordPress is susceptible to an unauthorized access flaw due to a lack of capability checks within the 'authenticate' function. This vulnerability, present in all versions up to and including 2.7.0, allows authenticated users, even those with subscriber-level permissions, to potentially manipulate or take control of an administrator account. Given the expansive use of the plugin, this security issue raises serious concerns about data integrity and user privacy across affected WordPress installations.

Affected Version(s)

Tutor LMS Pro * <= 2.7.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://www.themeum.com/product/tutor-lms/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 16, 2024
Vulnerability Reserved
Apr 30, 2024

Credit

Villu Orav