CVE-2024-4279

{"id": "CVE-2024-4279", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2024-05-16T06:15:10.667", "references": [{"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course_List.php#L357", "tags": ["Product"], "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset/3086489/", "tags": ["Patch"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/45d04643-e43a-4732-91bf-e4af7b622e33?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course_List.php#L357", "tags": ["Product"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://plugins.trac.wordpress.org/changeset/3086489/", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/45d04643-e43a-4732-91bf-e4af7b622e33?source=cve", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutor_course_delete' function due to missing validation on a user controlled key. This can allow authenticated attackers, with Instructor-level permissions and above, to delete any course."}, {"lang": "es", "value": "El complemento Tutor LMS \u2013 eLearning and online course solution para WordPress es vulnerable a la Referencia directa insegura a objetos para la eliminaci\u00f3n arbitraria de cursos en versiones hasta la 2.7.0 incluida a trav\u00e9s de la funci\u00f3n 'tutor_course_delete' debido a la falta de validaci\u00f3n en una clave controlada por el usuario. Esto puede permitir que atacantes autenticados, con permisos de nivel de Instructor y superiores, eliminen cualquier curso."}], "lastModified": "2025-01-24T17:03:18.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "F6D02936-81CB-45D8-A594-B5D9A2731936", "versionEndExcluding": "2.7.1"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}