Tutor LMS Pro < 2.7.3 – Missing Authorization to Authenticated (Subscriber+) Insecure Direct Object Reference | CVE 2024-5784 | Plugin Vulnerabilities

Description

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized administrative actions execution due to a missing capability checks on multiple functions like treport_quiz_atttempt_delete and tutor_gc_class_action in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with the subscriber-level access and above, to preform an administrative actions on the site, like comments, posts or users deletion, viewing notifications, etc.

Affects Plugins

Fixed in 2.7.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/aa5c23ed-7239-40e1-a795-1ae8d4c2d6c8

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Thanh Nam Tran

Verified

No

WPVDB ID

d5d0df4b-afe6-4585-bf30-01ec1d8d5c3b

Timeline

Publicly Published

2024-08-29 (about 1 year ago)

Added

2024-08-29 (about 1 year ago)

Last Updated

2024-08-30 (about 1 year ago)

Other

Published

Title

Published

2024-05-07

Title

Shared Counts – Social Media Share Buttons < 1.5.0 - Missing Authorization to Arbitrary Email Sending

Published

2026-03-01

Title

ShopWP <= 5.2.4 - Missing Authorization

Published

2026-01-20

Title

Pie Register < 3.8.4.9 - Missing Authorization

Published

2023-11-28

Title

Razorpay for WooCommerce < 4.5.7 - Subscriber+ Transfers Manipulation

Published

2024-06-28

Title

Zita Elementor Site Library < 1.6.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload