CVE-2024-4352

Name of the Vulnerable Software and Affected Versions Tutor LMS Pro plugin for WordPress (affected versions not specified)

Description The issue concerns unauthorized access, modification, and loss of data due to a missing capability check on the get calendar materials function. Additionally, the plugin is vulnerable to SQL Injection via the year parameter of this function, resulting from insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries. This allows authenticated attackers with subscriber-level permissions and above to append additional SQL queries, potentially extracting sensitive information from the database.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.