Skip to main content

Lifterlms CVE-2024-0377

MEDIUM
Improper Access Control (CWE-284)
2024-03-13 security@wordfence.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch released
Apr 08, 2026 - 19:39 nvd
Patch available
CVE Published
Mar 13, 2024 - 16:15 nvd
MEDIUM 5.3

DescriptionCVE.org

The LifterLMS - WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_review' function in all versions up to, and including, 7.5.1. This makes it possible for unauthenticated attackers to publish an unrestricted number of reviews on the site.

AnalysisAI

The LifterLMS - WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_review' function in all. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-284. The LifterLMS - WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_review' function in all versions up to, and including, 7.5.1. This makes it possible for unauthenticated attackers to publish an unrestricted number of reviews on the site. Affected products include: Lifterlms.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2019-15896 CRITICAL POC
9.8 Sep 10

An issue was discovered in the LifterLMS plugin through 3.34.5 for WordPress. Rated critical severity (CVSS 9.8), this v

CVE-2021-24562 HIGH POC
7.5 Aug 23

The LMS by LifterLMS - Online Course, Membership & Learning Management System Plugin for WordPress plugin before 4.21.2

CVE-2024-13619 MEDIUM POC
6.1 May 15

The LifterLMS WordPress plugin before 8.0.1 does not sanitise and escape a parameter before outputting it back in the pa

CVE-2022-1250 MEDIUM POC
6.1 May 02

The LifterLMS PayPal WordPress plugin before 1.4.0 does not sanitise and escape some parameters from the payment confirm

CVE-2020-6008 CRITICAL
9.8 Mar 31

LifterLMS Wordpress plugin version below 3.37.15 is vulnerable to arbitrary file write leading to remote code execution.

CVE-2021-24308 MEDIUM POC
5.4 May 24

The 'State' field of the Edit profile page of the LMS by LifterLMS - Online Course, Membership & Learning Management Sys

CVE-2024-4743 HIGH
8.8 Jun 05

The LifterLMS - WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to SQL Injection via the orderBy a

CVE-2024-7349 HIGH
7.2 Sep 06

The LifterLMS - WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to blind SQL Injectio

CVE-2024-31363 MEDIUM
4.3 Apr 12

Cross-Site Request Forgery (CSRF) vulnerability in LifterLMS.5.0. Rated medium severity (CVSS 4.3), this vulnerability i

CVE-2024-12596 MEDIUM
4.3 Dec 18

The LifterLMS - WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to arbitrary post del

CVE-2023-6160 LOW
3.3 Nov 22

The LifterLMS - WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to Directory Traversal in versions

CVE-2025-2290 MEDIUM
5.3 Mar 19

The LifterLMS - WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to Unauthenticated Po

Share

CVE-2024-0377 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy