WordPress Plugin Vulnerabilities

Tutor LMS Pro < 2.7.1 - Missing Authorization

Description

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options.

Affects Plugins

Plugin icon
tutor-pro
Fixed in 2.7.1

References

CVE
CVE-2024-4222
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/942fffb6-2719-4b70-9759-21b2d50002c5

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
7.3 (high)

Miscellaneous

Original Researcher
villu164
Verified
No
WPVDB ID
ee505ce8-c80d-4c4c-949f-63a060c3abbb

Timeline

Publicly Published
2024-05-15 (about 1 year ago)
Added
2024-05-15 (about 1 year ago)
Last Updated
2024-05-15 (about 1 year ago)

Other

Published
Title
Published
2023-11-13
Title
AWeber < 7.3.10 - Missing Authorization via AJAX actions
Published
2025-02-10
Title
Zox News < 3.17.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Modification
Published
2025-11-11
Title
Booking Calendar | Appointment Booking | Bookit < 2.5.1 - Missing Authorization to Unauthenticated Stripe Connection
Published
2023-01-16
Title
Stream < 3.9.2 - Subscriber+ Alert Creation
Published
2024-06-03
Title
Admin Notices Manager < 1.5.0 - Missing Authorization to Authenticated (Subscriber+) User Email Retrieval