The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized administrative actions execution due to a missing capability checks on multiple functions like treport_quiz_atttempt_delete and tutor_gc_class_action in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with the subscriber-level access and above, to preform an administrative actions on the site, like comments, posts or users deletion, viewing notifications, etc.
Metrics
Affected Vendors & Products
References
History
Tue, 03 Sep 2024 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Tutorlms
Tutorlms tutor Lms Pro |
|
CPEs | cpe:2.3:a:tutorlms:tutor_lms_pro:*:*:*:*:*:wordpress:*:* | |
Vendors & Products |
Tutorlms
Tutorlms tutor Lms Pro |
Fri, 30 Aug 2024 15:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Fri, 30 Aug 2024 03:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized administrative actions execution due to a missing capability checks on multiple functions like treport_quiz_atttempt_delete and tutor_gc_class_action in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with the subscriber-level access and above, to preform an administrative actions on the site, like comments, posts or users deletion, viewing notifications, etc. | |
Title | Tutor LMS Pro <= 2.7.2 - Missing Authorization to Authenticated (Subscriber+) Insecure Direct Object Reference | |
Weaknesses | CWE-862 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-08-30T03:24:16.470Z
Updated: 2024-08-30T14:39:05.512Z
Reserved: 2024-06-10T08:27:03.121Z
Link: CVE-2024-5784
Vulnrichment
Updated: 2024-08-30T14:39:01.219Z
NVD
Status : Analyzed
Published: 2024-08-30T04:15:08.193
Modified: 2024-09-03T14:48:19.570
Link: CVE-2024-5784
Redhat
No data.