Vulnerability Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutor_course_delete' function due to missing validation on a user controlled key. This can allow authenticated attackers, with Instructor-level permissions and above, to delete any course.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Themeum | Tutor Lms | < 2.7.1 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course_List.php#LProduct
- https://plugins.trac.wordpress.org/changeset/3086489/Patch
- https://www.wordfence.com/threat-intel/vulnerabilities/id/45d04643-e43a-4732-91bThird Party Advisory
- https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course_List.php#LProduct
- https://plugins.trac.wordpress.org/changeset/3086489/Patch
- https://www.wordfence.com/threat-intel/vulnerabilities/id/45d04643-e43a-4732-91bThird Party Advisory
FAQ
What is CVE-2024-4279?
CVE-2024-4279 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the...
How severe is CVE-2024-4279?
CVE-2024-4279 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-4279?
Check the references section above for vendor advisories and patch information. Affected products include: Themeum Tutor Lms.