Tutor LMS Vulnerability – eLearning and online course solution – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘tutor_instructor_list’ Shortcode – CVE-2024-3994 | WordPress Plugin Vulnerability Report
Plugin Name: Tutor LMS – eLearning and online course solution
Key Information:
- Software Type: Plugin
- Software Slug: tutor
- Software Status: Active
- Software Author: themeum
- Software Downloads: 2,051,836
- Active Installs: 80,000
- Last Updated: May 9, 2024
- Patched Versions: 2.7.0
- Affected Versions: <= 2.6.2
Vulnerability Details:
- Name: Tutor LMS – eLearning and online course solution <= 2.6.2
- Title: Authenticated (Contributor+) Stored Cross-Site Scripting via 'tutor_instructor_list' Shortcode
- Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- CVE: CVE-2024-3994
- CVSS Score: 5.4
- Publicly Published: April 24, 2024
- Researcher: wesley
- Description: The Tutor LMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tutor_instructor_list' shortcode in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping on user-supplied attributes. Authenticated attackers, with contributor-level access and above, can inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Summary:
The Tutor LMS plugin for WordPress has a vulnerability in versions up to and including 2.6.2 that allows for stored cross-site scripting via the plugin's 'tutor_instructor_list' shortcode. This vulnerability has been patched in version 2.7.0.
Detailed Overview:
The vulnerability in the Tutor LMS plugin was discovered by researcher Wesley. It specifically affects the 'tutor_instructor_list' shortcode, where insufficient sanitization and escaping of user-supplied attributes allows for the injection of malicious scripts. The potential for harm includes unauthorized data access and manipulation by attackers, thereby posing a significant security risk to sites using older versions of the plugin. The remediation of this vulnerability has been achieved with the release of version 2.7.0, which addresses these security gaps.
Advice for Users:
- Immediate Action: Update to the patched version 2.7.0 immediately to close the security loophole.
- Check for Signs of Vulnerability: Admins should review their site pages for unexpected scripts or behaviors, particularly where the 'tutor_instructor_list' shortcode is used.
- Alternate Plugins: While the patched version is now available, users may consider evaluating other eLearning plugins that provide similar functionalities but with a robust security track record as a precautionary measure.
- Stay Updated: Ensuring that all your WordPress plugins are kept up to date is crucial in preventing vulnerabilities and protecting your site against emerging threats.
Conclusion:
The prompt patching of the Tutor LMS plugin to version 2.7.0 highlights the ongoing challenge and necessity of maintaining software security. Site administrators are urged to update their installations to this version or later to safeguard their WordPress sites effectively against this and potentially other vulnerabilities.
References:
Detailed Report:
In the realm of digital education, WordPress plugins like Tutor LMS play a pivotal role in creating engaging online courses. Yet, this digital convenience comes with inherent risks, highlighted by the recent discovery of a Stored Cross-Site Scripting (XSS) vulnerability in Tutor LMS. Officially known as CVE-2024-3994, this vulnerability exposes the pressing need for vigilant software updates and robust security measures. It serves as a stark reminder that keeping digital tools updated is not just a matter of accessing new features but a crucial defense against potential cyber threats.
Vulnerability Overview:
The vulnerability in question was discovered in versions up to and including 2.6.2 of the Tutor LMS plugin. Identified by researcher Wesley, it involves the 'tutor_instructor_list' shortcode, where insufficient sanitization and escaping of user-supplied attributes allow authenticated users with contributor-level access to inject malicious scripts. This XSS vulnerability, cataloged under CVE-2024-3994, holds a CVSS score of 5.4, signaling a moderate threat that demands immediate attention.
Risks and Potential Impacts:
The exploitation of this vulnerability could enable attackers to perform unauthorized actions such as stealing user data, compromising user sessions, or redirecting visitors to malicious websites. For any eLearning platform, such security breaches can lead to significant reputational damage, loss of trust among users, and potential legal ramifications. Given the sensitive nature of educational content and personal data, the stakes are particularly high.
Remediation Steps:
To mitigate this vulnerability, users are urged to:
- Update immediately to the latest patched version, 2.7.0, to close the security loophole.
- Review site pages for unexpected scripts or behaviors, especially where the 'tutor_instructor_list' shortcode is used.
- Consider alternatives or additional security measures if continual plugin updates pose a challenge.
Historical Vulnerabilities:
It is worth noting that this is not the first time Tutor LMS has faced security issues; there have been 30 documented vulnerabilities since February 4, 2020. This history underscores the need for ongoing vigilance and proactive security practices.
Conclusion:
The swift patching of Tutor LMS to version 2.7.0 underscores the ongoing challenges and the necessity of maintaining software security. As small business owners, the task of keeping up with security updates can seem daunting, especially when resources are limited. However, the consequences of neglect can be far more severe. Incorporating regular security checks and updates into your website management routine is not just beneficial—it's essential for safeguarding your digital presence.
Staying Secure
Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.
Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.
Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.