AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2024-4279: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Refere

mediumvulnerability

security

Source: NVD/CVE DatabaseMay 16, 2024CVE-2024-4279

Summary

The Tutor LMS WordPress plugin (up to version 2.7.0) has a security flaw called IDOR (insecure direct object reference, where an attacker can access resources by guessing or manipulating ID numbers) that lets users with Instructor-level permissions delete any course without proper permission checks in the 'tutor_course_delete' function. This happens because the code doesn't validate which courses a user is allowed to delete.

Vulnerability Details

CVSS Score

6.5(medium)

EPSS (30-day exploit probability)

EPSS: 0.2%

Classification

Attack SophisticationTrivial

Taxonomy References

CWE (Weakness Type)

CWE-639

Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-4279

First tracked: February 15, 2026 at 08:37 PM

Classified by LLM (prompt v3) · confidence: 95%