Tutor LMS Vulnerability – Missing Authorization & Authenticated HTML Injection – CVE-2024-1133 & CVE-2024-1128 | WordPress Plugin Vulnerability Report
Plugin Name: Tutor LMS
Key Information:
- Software Type: Plugin
- Software Slug: tutor
- Software Status: Active
- Software Author: themeum
- Software Downloads: 1,925,315
- Active Installs: 80,000
- Last Updated: February 20, 2024
- Patched Versions: 2.6.1
- Affected Versions: <= 2.6.0
Vulnerability 1 Details:
- Name: Tutor LMS <= 2.6.0 - Missing Authorization
- Title: Missing Authorization
- Type: Missing Authorization
- CVE: CVE-2024-1133
- CVSS Score: 4.3 (Medium)
- Publicly Published: February 20, 2024
- Researcher: drop
- Description: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of restricted Q&A content due to a missing capability check when interacting with questions in all versions up to, and including, 2.6.0. This makes it possible for authenticated attackers, with subscriber access or higher, to interact with questions in courses in which they are not enrolled including private courses.
Vulnerability 2 Details:
- Name: Tutor LMS <= 2.6.0 - Authenticated(Student+) HTML Injection via Q&A
- Title: Authenticated(Student+) HTML Injection via Q&A
- Type: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
- CVE: CVE-2024-1128
- CVSS Score: 5.4 (Medium)
- Publicly Published: February 20, 2024
- Researcher: drop
- Description: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 2.6.0. This is due to insufficient sanitization of HTML input in the Q&A functionality. This makes it possible for authenticated attackers, with Student access and above, to inject arbitrary HTML onto a site, though it does not allow Cross-Site Scripting.
Summary:
The Tutor LMS plugin for WordPress has vulnerabilities in versions up to and including 2.6.0 that allow unauthorized access to restricted Q&A content and HTML injection. These vulnerabilities have been patched in version 2.6.1.
Detailed Overview:
The Tutor LMS plugin has two vulnerabilities that were publicly disclosed on February 20, 2024. The first is a missing authorization check that allows any authenticated user with subscriber access or higher to interact with question and answers in courses they are not enrolled in. This includes private courses.
The second vulnerability is an insufficient sanitization of user input that allows authenticated users with student access or higher to inject arbitrary HTML. This could be used to alter the appearance of pages or trick users, but does not allow for cross-site scripting attacks.
Both of these issues were addressed in version 2.6.1, which checks user authorization properly and sanitizes input. Users are advised to update as soon as possible to ensure the security of their site.
Advice for Users:
- Immediate Action: Update to version 2.6.1 or higher as soon as possible.
- Check for Signs of Vulnerability: Review courses and question logs for any unauthorized or suspicious activity.
- Alternate Plugins: Consider using LearnDash or Sensei as alternative LMS plugins.
- Stay Updated: Enable automatic updates for plugins whenever possible. Monitor the Tutor LMS plugin for future security updates.
Conclusion:
The prompt patch from Tutor LMS addresses two important vulnerabilities impacting site security and user privacy. Users should apply the 2.6.1 update immediately to close these gaps. Staying current on plugin updates is the most effective way to keep WordPress secure against emerging threats.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/tutor?page=2
Detailed Report:
The recently disclosed vulnerability in the popular Tutor LMS eLearning plugin illustrates why staying on top of WordPress security matters. This plugin that powers online courses for over 80,000 sites contained flaws allowing the viewing of private content and potential hacking until a patch fixed the issues. For small business owners running on WordPress, threats like this demonstrate the importance of vigilant updating.
Tutor LMS is installed on almost 2 million sites for enabling learning portals, quizzes, and protected course access. But the team at Themeum neglected security patches in old versions up to 2.6.0 from February 2024. Two major vulnerabilities were publicly reported allowing everyday authenticated users elevated privilege escalation in the software.
The first vulnerability permits subscribers and up access to private course question and answer sections without proper enrollment permissions. Course creators assume materials are protected, but these leaks completely bypass enrollment checks and authorization standards. Attackers may not disrupt site operations, but they definitely can help themselves to restricted content.
Even more alarming is an input sanitization vulnerability permitting HTML and code injection into Q&A sections by authenticated users. Student roles and up can inject unauthorized scripts and content onto course pages seen by admin users and visitors by embedding it in input passed to the plugin. Consequences range from mere annoyance to malicious phishing content tricking customers.
While the flaws are now patched in Tutor LMS version 2.6.1, the issues clearly create unnecessary risk and uncertainty for site owners. Developers may be quick to address disclosed problems, but too often vulnerable software lingers for years. Updating and hardening WordPress sites is thus crucial for preventing issues instead of reacting after incidents emerge.
As a business owner, you don't have time to constantly monitor for WordPress vulnerabilities like this. At Your WP Guy, we become your outsourced IT team to handle security, updates, maintenance and support. Let us fully audit your site and plugins to assess any impact from this issue. We'll update everything to patched versions so you can rest easy knowing your site is locked down.
Focus on your business goals while we focus on your WordPress site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 for a free consultation on securing your online presence.