LifterLMS – WordPress LMS Plugin for eLearning < 7.5.2 – Missing Authorization via process_review | CVE 2024-0377 | Plugin Vulnerabilities

Description

The LifterLMS – WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_review' function in all versions up to, and including, 7.5.1. This makes it possible for unauthenticated attackers to publish an unrestricted number of reviews on the site.

Affects Plugins

Fixed in 7.5.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d1f41400-5c59-444d-9c1e-121e83449521

Classification

Type

ACCESS CONTROLS

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Francesco Carlucci

Verified

No

WPVDB ID

676ae2d6-91f7-458d-8ab0-7a641e74b508

Timeline

Publicly Published

2024-02-27 (about 2 years ago)

Added

2024-02-27 (about 2 years ago)

Last Updated

2024-02-27 (about 2 years ago)

Other

Published

Title

Published

2023-12-27

Title

Rencontre – Dating Site < 3.11 - Privilege Escalation

Published

2021-04-20

Title

Redirection for Contact Form 7 < 2.3.4 - Authenticated Arbitrary Plugin Installation

Published

2025-07-03

Title

DocCheck Login < 1.1.6 - Unauthorized Post Access

Published

2024-02-06

Title

AMP for WP < 1.0.93.2 - Authenticated(Contributor+) Arbitrary Post Deletion via amppb_remove_saved_layout_data

Published

2021-07-05

Title

Filter Gallery < 0.0.7 - Unauthorised AJAX Calls