Tutor LMS – eLearning and online course solution < 2.6.2 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion | CVE 2024-1502 | Plugin Vulnerabilities

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tutor_delete_announcement() function in all versions up to, and including, 2.6.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts.

Affects Plugins

Fixed in 2.6.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/834c4ca9-7173-4c84-8287-9916ec72935d

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Lucio Sá

Verified

No

WPVDB ID

262a1899-5bcd-4a2c-b7f3-b3c27cd2bb20

Timeline

Publicly Published

2024-03-12 (about 2 years ago)

Added

2024-03-12 (about 2 years ago)

Last Updated

2024-03-12 (about 2 years ago)

Other

Published

Title

Published

2026-04-13

Title

Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) < 4.1.9 Missing Authorization to Authenticated (Subscriber+) Order Information Exposure

Published

2025-11-18

Title

wpForo Forum < 2.4.11 - Missing Authorization

Published

2025-03-31

Title

NanoSupport <= 0.6.0 - Missing Authorization

Published

2026-01-15

Title

AffiliateX 1.0.0 - 1.3.9.3 - Authenticated (Subscriber+) Missing Authorization to Stored Cross-Site Scripting via save_customization_settings

Published

2025-06-05

Title

Responsive Flipbooks <= 1.0 - Missing Authorization