exploitDog

CVE-2024-5784

Опубликовано: 30 авг. 2024

Источник: nvd

CVSS3: 7.1

EPSS Низкий

Описание

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized administrative actions execution due to a missing capability checks on multiple functions like treport_quiz_atttempt_delete and tutor_gc_class_action in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with the subscriber-level access and above, to preform an administrative actions on the site, like comments, posts or users deletion, viewing notifications, etc.

Ссылки

https://tutorlms.com/releases/id/299/
Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/aa5c23ed-7239-40e1-a795-1ae8d4c2d6c8?source=cve
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:themeum:tutor_lms:*:*:*:*:pro:wordpress:*:*

Версия до 2.7.3 (исключая)

EPSS

Процентиль: 66%

0.00507

Низкий

7.1 High

CVSS3

Дефекты

CWE-862

Связанные уязвимости

GHSA-88qq-rx45-9fwm

CVSS3: 7.1

github

больше 1 года назад

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized administrative actions execution due to a missing capability checks on multiple functions like treport_quiz_atttempt_delete and tutor_gc_class_action in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with the subscriber-level access and above, to preform an administrative actions on the site, like comments, posts or users deletion, viewing notifications, etc.

EPSS

Процентиль: 66%

0.00507

Низкий

7.1 High

CVSS3

Дефекты

CWE-862