Tutor LMS < 2.6.1 – Missing Authorization | CVE 2024-1133 | Plugin Vulnerabilities

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of restricted Q&A content due to a missing capability check when interacting with questions in all versions up to, and including, 2.6.0. This makes it possible for authenticated attackers, with subscriber access or higher, to interact with questions in courses in which they are not enrolled including private courses.

Affects Plugins

Fixed in 2.6.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/e8a7c04a-1fa0-434d-8161-7a32cefb44c4

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

drop

Verified

No

WPVDB ID

315036fc-711c-4bb8-9f98-1e40c2b85383

Timeline

Publicly Published

2024-02-20 (about 2 years ago)

Added

2024-02-20 (about 2 years ago)

Last Updated

2024-02-20 (about 2 years ago)

Other

Published

Title

Published

2024-07-18

Title

WPForms User Registration < 2.1.2 - Missing Authorization to Authenticated (Contributor+) Privilege Escalation

Published

2024-04-17

Title

MyRewards < 5.3.1 - Missing Authorization

Published

2026-04-07

Title

PZ Frontend Manager <= 1.0.6 - Missing Authorization to Arbitrary User Deletion via 'dataType' Parameter

Published

2024-08-28

Title

Fota WP < 1.4.2 - Missing Authorization via fotawp_install_and_activate_plugins()

Published

2024-12-11

Title

New User Approve < 2.6.4 - Missing Authorization