5.3

CVE-2024-10393

Tutor LMS <= 2.7.6 - User Registration Setting Bypass to Unauthorized User Registration

Tutor LMS <= 2.7.6 - User Registration Setting Bypass to Unauthorized User Registration

The Tutor LMS plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 2.7.6. This is due to a missing check for the 'users_can_register' option in the 'register_instructor' function. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled.
Mögliche Gegenmaßnahme
Tutor LMS – eLearning and online course solution: Update to version 2.7.7, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ThemeumTutor Lms SwPlatformwordpress Version <= 2.7.6
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt Tutor LMS – eLearning and online course solution
Version *-2.7.6
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.56% 0.423
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security@wordfence.com 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://plugins.trac.wordpress.org/changeset/3186319/tutor
Patch
https://www.wordfence.com/threat-intel/vulnerabilities/id/bf8aa169-df51-46db-8c65-f1543d4f75f9?source=cve
Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/bf8aa169-df51-46db-8c65-f1543d4f75f9
Third Party Advisory