Tutor LMS < 2.7.4 – Missing Authorization | CVE 2024-43142 | Plugin Vulnerabilities

Description

The Tutor LMS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the create_or_update_annoucement, tutor_quiz_save, tutor_load_edit_lesson_modal, and tutor_modal_create_or_update_lesson functions in versions up to, and including, 2.7.3. This makes it possible for authenticated attackers, with tutor instructor-level access and above, to modify data they should not have access to.

Affects Plugins

Fixed in 2.7.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/c82e24a3-8000-4aa5-953e-11415b94909b

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

akas wisnu aji

Verified

No

WPVDB ID

d167c7ec-fd72-46ab-8d2d-24eb449273d1

Timeline

Publicly Published

2024-08-07 (about 1 year ago)

Added

2024-08-14 (about 1 year ago)

Last Updated

2024-08-14 (about 1 year ago)

Other

Published

Title

Published

2026-01-24

Title

Wired Impact Volunteer Management < 2.8.1 - Missing Authorization

Published

2025-06-27

Title

HurryTimer < 2.14.0 - Missing Authorization

Published

2025-01-18

Title

EMI Calculator <= 1.1 - Missing Authorization to Unauthenticated Settings Change

Published

2022-02-15

Title

Relevanssi - Subscriber+ Unauthorised AJAX Calls

Published

2025-12-22

Title

Telegram Widget and Join Link < 2.2.13 - Missing Authorization