CVE-2024-5784
moderate-risk
Published 2024-08-30
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized administrative actions execution due to a missing capability checks on multiple functions like treport_quiz_atttempt_delete and tutor_gc_class_action in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with the subscriber-level access and above, to preform an administrative actions on the site, like comments, posts or users deletion, viewing notifications, etc.
Do I need to act?
-
0.69% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.1/10
High
NETWORK
/ LOW complexity
Affected Products (1)
Affected Vendors
References (2)
Release Notes
https://tutorlms.com/releases/id/299/
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/aa5c23ed-7239-40e1-a79...
32
/ 100
moderate-risk
Severity
25/34 · High
Exploitability
2/34 · Minimal
Exposure
5/34 · Minimal