CVE-2024-0377 MEDIUM

CVE-2024-0377: LifterLMS – WordPress LMS Plugin for eLearning <= 7.5.1 - Missing Authorization via process_review

Vendor Chrisbadgett
Product LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes
Weakness CWE-284
Published March 13, 2024
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The LifterLMS – WordPress LMS Plugin for eLearning plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'process_review' function in all versions up to, and including, 7.5.1. This makes it possible for unauthenticated attackers to publish an unrestricted number of reviews on the site.

Key dates

02Disclosure timeline

March 13, 2024 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2020-2025 Kata Containers - Cloud Hypervisor guests persist filesystem changes to the underlying host image file CVE-2021-36775 Deleting PRTBs associated to a group doesn't cause deletion of corresponding RoleBindings CVE-2022-26308 Improper Access Control in Configuration (Credential store) CVE-2024-2315 SMM arbitrary code execution in Overclock CVE-2023-26473 XWiki Platform allows unprivileged users to make arbitrary select queries using DatabaseListProperty and suggest.vm