CVE-2024-1502

Name of the Vulnerable Software and Affected Versions Tutor LMS plugin for WordPress versions up to, and including, 2.6.1

Description The issue is related to a missing capability check on the tutor delete announcement() function, which can allow authenticated attackers with subscriber-level access and above to delete arbitrary posts, potentially leading to unauthorized loss of data. This is due to insufficient authorization procedures.

Recommendations For versions up to, and including, 2.6.1, update to a version that includes a fix for the missing capability check on the tutor delete announcement() function. As a temporary workaround, consider restricting access to the tutor delete announcement() function to prevent unauthorized post deletion.