Unauthorized Access to Administrative Actions on Tutor LMS Pro Plugin for WordPress
CVE-2024-5784

7.1HIGH

Key Information:

Vendor: Wordpress
Status: Tutor Lms Pro
Vendor: CVE Published:; 30 August 2024

What is CVE-2024-5784?

The Tutor LMS Pro plugin for WordPress contains a significant vulnerability that permits unauthorized execution of administrative actions. This issue arises from the absence of capability checks on several critical functions, such as treport_quiz_attempt_delete and tutor_gc_class_action. As a result, authenticated attackers with subscriber-level access or higher can execute potentially harmful actions, including deleting comments, posts, or users, and viewing sensitive notifications. Site administrators must promptly update to version 2.7.3 or later to mitigate this risk and protect their WordPress installations from exploitation.

Affected Version(s)

Tutor LMS Pro * <= 2.7.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://tutorlms.com/releases/id/299/

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 30, 2024
Vulnerability Reserved
Jun 10, 2024

Credit

Thanh Nam Tran