CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-4279

Medium Severity
Themeum
SVRS
30/100
CVSSv3
6.5/10
EPSS
0.00129/1

CVE-2024-4279 allows unauthorized course deletion in the Tutor LMS WordPress plugin. Authenticated instructors can delete arbitrary courses due to insecure direct object reference. This vulnerability affects versions up to 2.7.0.

The Tutor LMS plugin, a popular eLearning solution for WordPress, is susceptible to this insecure direct object reference (IDOR) vulnerability. Although the CVSS score is 6.5, indicating a medium severity, the SOCRadar Vulnerability Risk Score (SVRS) of 30 suggests a lower immediate risk compared to vulnerabilities with SVRS scores above 80. However, successful exploitation can lead to significant data loss and disruption of online learning platforms. The vulnerability stems from missing validation on a user-controlled key within the 'tutor_course_delete' function, which can allow attackers with Instructor-level permissions or higher to delete any course. It is crucial for administrators to update to a patched version of the Tutor LMS plugin to mitigate this risk and prevent unauthorized course deletions. The fact that this vulnerability has been tagged as "In The Wild" also raises concerns.

TAGS
In The Wild
VECTOR STRING
CVSS:3.1
AV:N
AC:L
PR:L
UI:N
S:U
C:N
I:H
A:N
PUBLICATION DATE2024-05-16
LAST MODIFIED2025-01-24

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

CVE-2024-4279 | Tutor LMS Plugin up to 2.7.0 on WordPress Course resource injection
vuldb.com2025-01-24
CVE-2024-4279 | Tutor LMS Plugin up to 2.7.0 on WordPress Course resource injection | A vulnerability was found in Tutor LMS Plugin up to 2.7.0 on WordPress. It has been declared as problematic. This vulnerability affects unknown code of the component Course Handler. The manipulation leads to improper control of resource identifiers. This vulnerability was named CVE-2024-4279. The attack can be initiated
vuldb.com
rss
forum
news

Social Media

CVE-2024-4279 The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up … https://t.co/Epm4HfvVF7
0
1
0

Affected Software

Configuration 1
TypeVendorProduct
AppThemeumtutor_lms

References

ReferenceLink
[email protected]https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course_List.php#L357
[email protected]https://plugins.trac.wordpress.org/changeset/3086489/
[email protected]https://www.wordfence.com/threat-intel/vulnerabilities/id/45d04643-e43a-4732-91bf-e4af7b622e33?source=cve
AF854A3A-2127-422B-91AE-364DA2661108https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course_List.php#L357
AF854A3A-2127-422B-91AE-364DA2661108https://plugins.trac.wordpress.org/changeset/3086489/
AF854A3A-2127-422B-91AE-364DA2661108https://www.wordfence.com/threat-intel/vulnerabilities/id/45d04643-e43a-4732-91bf-e4af7b622e33?source=cve
[email protected]https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course_List.php#L357
[email protected]https://plugins.trac.wordpress.org/changeset/3086489/
[email protected]https://www.wordfence.com/threat-intel/vulnerabilities/id/45d04643-e43a-4732-91bf-e4af7b622e33?source=cve

CWE Details

CWE IDCWE NameDescription
CWE-639Authorization Bypass Through User-Controlled KeyThe system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence