Tutor LMS Vulnerability – eLearning and online course solution – Missing Authorization to Unauthenticated Limited Options Update – CVE-2024-3553 | WordPress Plugin Vulnerability Report

Plugin Name: Tutor LMS – eLearning and online course solution

Key Information:

  • Software Type: Plugin
  • Software Slug: tutor
  • Software Status: Active
  • Software Author: themeum
  • Software Downloads: 2,052,510
  • Active Installs: 80,000
  • Last Updated: May 10, 2024
  • Patched Versions: 2.7.0
  • Affected Versions: <= 2.6.2

Vulnerability Details:

  • Name: Tutor LMS <= 2.6.2
  • Title: Missing Authorization to Unauthenticated Limited Options Update
  • Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
  • CVE: CVE-2024-3553
  • CVSS Score: 6.5
  • Publicly Published: April 26, 2024
  • Researcher: M.Awad
  • Description: The Tutor LMS plugin for WordPress, designed for eLearning and online courses, has a significant security flaw in versions up to and including 2.6.2. This vulnerability arises from a missing capability check within the hide_notices function, which inadvertently allows unauthenticated users to enable user registration on sites where it may have been intentionally disabled.


The Tutor LMS plugin for WordPress contains a vulnerability in versions up to and including 2.6.2 that allows unauthenticated users to alter site settings without permissions. This critical security issue has been addressed in the recently released version 2.7.0.

Detailed Overview:

This vulnerability in Tutor LMS exposes websites to potential unauthorized data modifications, particularly concerning user registration settings. The absence of proper authorization checks in the plugin's functions means that any visitor, without needing to log in, could enable user registration. This could lead to unauthorized access and possibly other malicious activities. The researcher M.Awad discovered this flaw, emphasizing the need for stringent security practices in plugin development. Remediation has been implemented in the latest patch, preventing further exploitation of this oversight.

Advice for Users:

  • Immediate Action: Users should update to version 2.7.0 immediately to close this security loophole.
  • Check for Signs of Vulnerability: Administrators should check their website settings, particularly user registration and notice settings, to ensure no unauthorized changes have been made.
  • Alternate Plugins: While Tutor LMS has been patched, users concerned about security may consider evaluating other eLearning platforms to ensure they have the most secure and robust solution.
  • Stay Updated: It is critical to keep all software on your site updated to the latest versions to mitigate the risk of vulnerabilities.


The quick resolution with a patch in Tutor LMS version 2.7.0 highlights the active response needed from developers to maintain security in the dynamic WordPress ecosystem. Users of Tutor LMS are strongly advised to update their plugins immediately to version 2.7.0 or later to ensure their sites remain secure against this type of vulnerability.


Detailed Report: 

In the vast and ever-evolving world of website management, maintaining robust security measures is not just a recommendation; it's a necessity. For small business owners, staying ahead of potential threats by keeping website components up-to-date is crucial. The recent discovery of a security vulnerability in the Tutor LMS plugin—a popular eLearning and online course solution for WordPress—highlights the ongoing risks and emphasizes the importance of vigilant security practices.

Plugin Overview: Tutor LMS – eLearning and Online Course Solution

Tutor LMS is widely used in the educational sector, boasting over 80,000 active installs. As a key tool for creating and managing online courses on WordPress, it facilitates extensive user interaction, which makes it a significant asset for online educators. However, this utility also comes with heightened security responsibilities.

Vulnerability Details and Implications

A critical security flaw was identified in versions up to and including 2.6.2 of Tutor LMS, officially cataloged under CVE-2024-3553. This vulnerability allows unauthenticated users to alter site settings without permission due to a missing capability check within the hide_notices function. Specifically, it could enable or disable user registration, potentially leading to unauthorized site access and other malicious activities. The CVSS score of 6.5 indicates a considerable impact, necessitating immediate attention.

Previous Security Issues

This is not the first challenge for Tutor LMS; the plugin has been patched multiple times, with 31 vulnerabilities reported since February 2020. Each incident serves as a learning opportunity and a reminder of the importance of constant vigilance in the digital space.

Remediation Steps

To address this specific vulnerability, the developers have released a patch in version 2.7.0. Users are urged to update their installations without delay to protect against this exploit. Additionally, it's advisable for site administrators to review their site settings, especially around user registrations and notices, to ensure no unauthorized changes have been made.

Advice for Busy Small Business Owners

For small business owners juggling multiple responsibilities, managing website security might seem daunting. Automating as many of these processes as possible—such as setting plugins to update automatically and using trusted security plugins to conduct regular scans—can significantly reduce the burden. Engaging with a professional service for regular security audits can also provide peace of mind, ensuring that your website remains secure without needing constant direct oversight.

Conclusion: The Imperative of Proactive Security Management

The quick resolution provided by Tutor LMS's developers with the release of patch 2.7.0 underscores the critical nature of timely updates in safeguarding digital assets. In an era where digital threats are constantly evolving, the proactive management of security vulnerabilities is not just prudent; it's essential to maintain trust and functionality. Remember, the security of your website directly influences the security of your business, making it imperative to stay informed and proactive in your cybersecurity efforts.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Tutor LMS Vulnerability – eLearning and online course solution – Missing Authorization to Unauthenticated Limited Options Update – CVE-2024-3553 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment