CVE-2024-1798 MEDIUM

CVE-2024-1798: Tutor LMS – Migration Tool <= 2.2.0 - Missing Authorization in tutor_lp_export_xml

Vendor Themeum

Product Tutor LMS – Migration Tool

Weakness CWE-862 · Missing authorization

Published July 27, 2024

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The Tutor LMS – Migration Tool plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the tutor_lp_export_xml function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to export courses, including private and password protected courses.

Key dates

02Disclosure timeline

July 27, 2024 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-1798 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

04Related CVE

CVE-2024-37506 WordPress Donation Forms by Charitable plugin <= 1.8.1.7 - Broken Access Control vulnerability CVE-2023-44214 CVE-2025-14581 HAPPY – Helpdesk Support Ticket System <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Ticket Reply CVE-2025-11762 HubSpot All-In-One Marketing - Forms, Popups, Live Chat <= 11.3.32 - Missing Authorization to Authenticated (Contributor+) Installed Plugin Disclosure CVE-2025-29012 WordPress CF7 7 Mailchimp Add-on plugin < 2.4 - Broken Access Control Vulnerability