CVE-2024-3553

MEDIUM

Tutor LMS < 2.6.2 - Unauthenticated Data Modification via Missing Capability Check

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-3553. PoCs published by RandomRobbieBF.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2024-3553, a missing authorization vulnerability in Tutor LMS <= 2.6.2. The exploit allows authenticated attackers to enable user registration by leveraging a flawed `is_admin()` check.

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the hide_notices function in all versions up to, and including, 2.6.2. This makes it possible for unauthenticated attackers to enable user registration on sites that may have it disabled.

Exploits (1)

nomisec WORKING POC
by RandomRobbieBF · poc
https://github.com/RandomRobbieBF/CVE-2024-3553

This repository contains functional exploit code for CVE-2024-3553, a missing authorization vulnerability in Tutor LMS <= 2.6.2. The exploit allows authenticated attackers to enable user registration by leveraging a flawed `is_admin()` check.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Tutor LMS WordPress plugin <= 2.6.2
Auth required
Prerequisites: Authenticated WordPress account (subscriber or higher) · Tutor LMS plugin installed and activated
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 6.5
EPSS 0.0047
EPSS Percentile 36.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (2)
themeum/Tutor LMS – eLearning and online course solution < 2.6.2
themeum/tutor_lms < 2.7.0
Published May 02, 2024
Tracked Since Feb 18, 2026