Products
Tutor LMS
- up to 2.7.0
Tutor LMS - eLearning and online course solution plugin for WordPress
- up to 2.7.0
Source
security@wordfence.com
Tags
CVE-2024-4279 details
Last Modified : May 16, 2024, 1:03 p.m.
Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutor_course_delete' function due to missing validation on a user controlled key. This can allow authenticated attackers, with Instructor-level permissions and above, to delete any course.
CVSS Score
1 | 2 | 3 | 4 | 5 | 6.5 | 7 | 8 | 9 | 10 |
---|
Weakness
Weakness | Name | Description |
---|
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
Base Score
6.5
Exploitability Score
Impact Score
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References
URL | Source |
---|---|
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course_List.php#L357 | security@wordfence.com |
https://plugins.trac.wordpress.org/changeset/3086489/ | security@wordfence.com |
https://www.wordfence.com/threat-intel/vulnerabilities/id/45d04643-e43a-4732-91bf-e4af7b622e33?source=cve | security@wordfence.com |