Tutor LMS – eLearning and online course solution Vulnerability – Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Quiz Attempt Deletion & Authenticated (Administrator+) SQL Injection – CVE-2024-5438, CVE-2024-4902 | WordPress Plugin Vulnerability Report

Plugin Name: Tutor LMS – eLearning and online course solution

Key Information:

  • Software Type: Plugin
  • Software Slug: tutor
  • Software Status: Active
  • Software Author: themeum
  • Software Downloads: 2,142,088
  • Active Installs: 90,000
  • Last Updated: June 20, 2024
  • Patched Versions: 2.7.2
  • Affected Versions: <= 2.7.1

Vulnerability 1 Details:

  • Name: Tutor LMS – eLearning and online course solution <= 2.7.1
  • Title: Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Quiz Attempt Deletion
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
  • CVE: CVE-2024-5438
  • CVSS Score: 4.3
  • Publicly Published: June 6, 2024
  • Researcher: Thanh Nam Tran
  • Description: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.7.1 via the 'attempt_delete' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Instructor-level access and above, to delete arbitrary quiz attempts.
  • References: Wordfence Advisory

Vulnerability 2 Details:

  • Name: Tutor LMS – eLearning and online course solution <= 2.7.1
  • Title: Authenticated (Administrator+) SQL Injection
  • Type: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  • CVE: CVE-2024-4902
  • CVSS Score: 7.2
  • Publicly Published: June 6, 2024
  • Researcher: wesley
  • Description: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the ‘course_id’ parameter in all versions up to, and including, 2.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with admin access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
  • References: Wordfence Advisory

Summary:

The Tutor LMS – eLearning and online course solution plugin for WordPress has vulnerabilities in versions up to and including 2.7.1 that allow authenticated attackers to perform Insecure Direct Object Reference and SQL Injection attacks. These vulnerabilities have been patched in version 2.7.2.

Detailed Overview:

The vulnerabilities arise due to insufficient input validation and preparation in critical functions of the plugin. Attackers with the respective permissions can exploit these flaws to delete quiz attempts or execute arbitrary SQL queries, potentially compromising site security and integrity.

Advice for Users:

Immediate Action: Update the Tutor LMS – eLearning and online course solution plugin to version 2.7.2 immediately to mitigate the risk of exploitation.

Check for Signs of Vulnerability: Monitor plugin logs for any suspicious activity related to quiz deletions or unusual SQL queries.

Alternate Plugins: Consider temporarily disabling the plugin until the update is applied or explore alternative plugins that offer similar eLearning functionalities.

Stay Updated: Regularly update all WordPress plugins to their latest versions to safeguard against vulnerabilities and ensure ongoing site security.

Conclusion:

The prompt release of version 2.7.2 by the plugin developers highlights the importance of swift updates in securing WordPress sites. Users are strongly advised to ensure they are running version 2.7.2 or newer to protect their installations from potential exploits.

References:

Detailed Report: 

In today's digital landscape, the security of your WordPress website is paramount. Keeping plugins up to date is not just a best practice but a critical defense against potential vulnerabilities that can compromise your site's integrity and user data. Recently, vulnerabilities have been uncovered in the Tutor LMS – eLearning and online course solution plugin, serving as a stark reminder of the risks associated with outdated software. These vulnerabilities affect versions up to and including 2.7.1, allowing authenticated attackers to exploit flaws in the plugin’s functionality.

Risks/Potential Impacts of the Vulnerability:

These vulnerabilities pose significant risks to both site owners and users. Insecure direct object reference and SQL injection attacks can lead to data breaches, loss of user trust, and potential legal repercussions. For eLearning platforms using Tutor LMS, compromised quiz data or leaked sensitive information can severely impact course integrity and user confidentiality.

How to Remediate the Vulnerability:

Immediate Action: The most crucial step is to update the Tutor LMS – eLearning and online course solution plugin to version 2.7.2 immediately. This update patches the identified vulnerabilities, mitigating the risk of exploitation. Check for Signs of Vulnerability: Monitor plugin logs and site activity for any signs of suspicious behavior, such as unauthorized quiz deletions or unusual SQL queries. Alternate Plugins: Consider temporarily disabling the plugin until the update is applied. Explore alternative plugins that offer similar eLearning functionalities but with updated security measures. Stay Updated: Regularly check for and apply updates to all WordPress plugins to ensure ongoing protection against emerging vulnerabilities and potential exploits.

Overview of Previous Vulnerabilities:

Since February 4, 2020, Tutor LMS has encountered 35 previous vulnerabilities, indicating a pattern of security challenges. Each vulnerability underscores the importance of proactive monitoring and timely updates to maintain site security.

Conclusion:

The rapid release of version 2.7.2 by themeum, the developers of Tutor LMS, highlights the critical role of swift updates in safeguarding WordPress sites. Small business owners managing WordPress websites must prioritize plugin updates and remain vigilant against security vulnerabilities. By staying proactive and informed, businesses can protect their online presence, maintain customer trust, and mitigate potential risks effectively.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Tutor LMS – eLearning and online course solution Vulnerability – Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Quiz Attempt Deletion & Authenticated (Administrator+) SQL Injection – CVE-2024-5438, CVE-2024-4902 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment