CVE-2023-3133
N/A
N/A
Summary
The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowing unauthenticated attackers to access information from Lessons that should not be publicly available.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Unknown | Tutor LMS | 0 < 2.2.1 | affected |
Weaknesses
- CWE-639 Authorization Bypass Through User-Controlled Key
ADP Enrichment
CVE Program Container
Additional References
- https://wpscan.com/vulnerability/3b6969a7-5cbc-4e16-8f27-5dde481237f5
- https://plugins.trac.wordpress.org/browser/tutor/tags/2.2.0/classes/RestAPI.php#L253
- https://wordpress.org/plugins/tutor/
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://wpscan.com/vulnerability/3b6969a7-5cbc-4e16-8f27-5dde481237f5
- https://plugins.trac.wordpress.org/browser/tutor/tags/2.2.0/classes/RestAPI.php#L253
- https://wordpress.org/plugins/tutor/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.