Home

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutor_course_delete' function due to missing validation on a user controlled key. This can allow authenticated attackers, with Instructor-level permissions and above, to delete any course.

PUBLISHED Reserved 2024-04-26 | Published 2024-05-16 | Updated 2024-08-01 | Assigner Wordfence




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Default status
unaffected

* (semver)
affected

Timeline

2024-05-15:Disclosed

Credits

Thanh Nam Tran finder

References

www.wordfence.com/...-e43a-4732-91bf-e4af7b622e33?source=cve

plugins.trac.wordpress.org/.../trunk/classes/Course_List.php

plugins.trac.wordpress.org/changeset/3086489/

cve.org (CVE-2024-4279)

nvd.nist.gov (CVE-2024-4279)

Download JSON