Tutor LMS Vulnerability – Multiple Vulnerabilities – CVE-2024-4279, CVE-2024-4318, CVE-2024-4223 | WordPress Plugin Vulnerability Report

Plugin Name: Tutor LMS

Key Information:

  • Software Type: Plugin
  • Software Slug: tutor
  • Software Status: Active
  • Software Author: themeum
  • Software Downloads: 2,095,500
  • Active Installs: 80,000
  • Last Updated: May 15, 2024
  • Patched Versions: 2.7.1
  • Affected Versions: <= 2.7.0

Vulnerability 1 Details:

  • Name: Tutor LMS – eLearning and online course solution <= 2.7.0 - Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Course Deletion
  • Title: Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Course Deletion
  • Type: Authorization Bypass Through User-Controlled Key
  • CVE: CVE-2024-4279
  • CVSS Score: 6.5 (Medium)
  • Publicly Published: May 15, 2024
  • Researcher: Thanh Nam Tran
  • Description: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutor_course_delete' function due to missing validation on a user controlled key. This can allow authenticated attackers, with Instructor-level permissions and above, to delete any course.

Vulnerability 2 Details:

  • Name: Tutor LMS <= 2.7.0 - Authenticated (Instructor+) SQL Injection
  • Title: Authenticated (Instructor+) SQL Injection
  • Type: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • CVE: CVE-2024-4318
  • CVSS Score: 8.8 (High)
  • Publicly Published: May 15, 2024
  • Researcher: Thanh Nam Tran
  • Description: The Tutor LMS plugin for WordPress is vulnerable to time-based SQL Injection via the ‘question_id’ parameter in versions up to, and including, 2.7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Instructor-level permissions and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Vulnerability 3 Details:

  • Name: Tutor LMS <= 2.7.0 - Missing Authorization
  • Title: Missing Authorization
  • Type: Missing Authorization
  • CVE: CVE-2024-4223
  • CVSS Score: 9.8 (Critical)
  • Publicly Published: May 15, 2024
  • Researcher: villu164
  • Description: The Tutor LMS plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to add, modify, or delete data.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/tutor

Vulnerability 1: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/tutor/tutor-lms-elearning-and-online-course-solution-270-authenticated-instructor-insecure-direct-object-reference-to-arbitrary-course-deletion

Vulnerability 2: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/tutor/tutor-lms-270-authenticated-instructor-sql-injection

Vulnerability 3: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/tutor/tutor-lms-270-missing-authorization

Detailed Report:

Attention all WordPress website owners using the Tutor LMS plugin! A series of critical vulnerabilities has been discovered in this popular eLearning and online course solution, putting your website's security at risk. As a responsible website owner, it is crucial to stay informed about such vulnerabilities and take immediate action to protect your site and your users' data.

About the Plugin

Tutor LMS is an active WordPress plugin developed by themeum, with over 2 million downloads and 80,000 active installations. The plugin was last updated on May 15, 2024, and the patched version is 2.7.1. The affected versions are 2.7.0 and below.

Vulnerability Details

Three vulnerabilities have been discovered in the Tutor LMS plugin:

  1. CVE-2024-4279 (CVSS Score: 6.5 - Medium): Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Course Deletion
  2. CVE-2024-4318 (CVSS Score: 8.8 - High): Authenticated (Instructor+) SQL Injection
  3. CVE-2024-4223 (CVSS Score: 9.8 - Critical): Missing Authorization

These vulnerabilities were publicly disclosed on May 15, 2024, by researchers Thanh Nam Tran and villu164.

Risks and Potential Impacts

The discovered vulnerabilities pose significant risks to websites using the affected versions of the Tutor LMS plugin:

  1. Arbitrary Course Deletion: Authenticated attackers with Instructor-level permissions and above can delete any course.
  2. SQL Injection: Attackers can extract sensitive information from the database.
  3. Missing Authorization: Unauthenticated attackers can add, modify, or delete data.

These vulnerabilities can lead to data loss, data manipulation, and unauthorized access to sensitive information.

Remediation Steps

To protect your website from these vulnerabilities, follow these steps:

  1. Immediate Action: Update the Tutor LMS plugin to version 2.7.1 or later.
  2. Check for Signs of Vulnerability: Review your website for any unauthorized changes or suspicious activity.
  3. Consider Alternative Plugins: If you are concerned about the plugin's security, consider using alternative plugins with similar functionality.
  4. Stay Updated: Ensure that all your WordPress plugins are always updated to the latest versions to avoid vulnerabilities.

Previous Vulnerabilities

The Tutor LMS plugin has had 34 previous vulnerabilities since February 2020, underscoring the importance of staying vigilant and keeping the plugin updated.

The Importance of Staying on Top of Security Vulnerabilities

As a small business owner with a WordPress website, it can be challenging to find the time to stay on top of security vulnerabilities. However, neglecting these issues can lead to severe consequences, such as data breaches, website downtime, and loss of customer trust.

By regularly updating your plugins, monitoring your website for suspicious activity, and staying informed about the latest security threats, you can significantly reduce the risk of falling victim to these vulnerabilities. If you find it difficult to manage these tasks yourself, consider partnering with a reliable web development or security agency that can help you keep your website secure and up-to-date.

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Tutor LMS Vulnerability – Multiple Vulnerabilities – CVE-2024-4279, CVE-2024-4318, CVE-2024-4223 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment