WordPress Plugin Vulnerabilities

Tutor LMS < 2.2.1 - Unauthenticated Access to Tutor LMS Lesson Resources via REST API

Description

The plugin does not implement adequate permission checks for REST API endpoints, allowing unauthenticated attackers to access information from Lessons that should not be publicly available.

Proof of Concept

Affects Plugins

Plugin icon
tutor
Fixed in 2.2.1

References

CVE
CVE-2023-3133
URL
https://plugins.trac.wordpress.org/browser/tutor/tags/2.2.0/classes/RestAPI.php#L253
URL
https://wordpress.org/plugins/tutor/
YouTube Video

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
A. S. M. Muhiminul Hasan
Submitter
A. S. M. Muhiminul Hasan
Submitter website
https://muhiminulhasan.me
Submitter twitter
muhiminulhasan
Verified
Yes
WPVDB ID
3b6969a7-5cbc-4e16-8f27-5dde481237f5

Timeline

Publicly Published
2023-06-12 (about 2 years ago)
Added
2023-06-12 (about 2 years ago)
Last Updated
2023-06-12 (about 2 years ago)

Other

Published
Title
Published
2024-04-22
Title
BuddyBoss platform < 2.7.60 - Private Comment Exposure via IDOR
Published
2021-06-28
Title
User Profile Picture < 2.6.0 - Arbitrary User Picture Change/Deletion via IDOR
Published
2025-05-06
Title
WPshop 2 – E-Commerce 2.0.0 - 2.6.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Key Generation
Published
2024-04-22
Title
Rate My Post – Star Rating Plugin by FeedbackWP < 3.4.5 - Insecure Direct Object Reference
Published
2024-06-06
Title
Tutor LMS – eLearning and online course solution < 2.7.2 - Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Quiz Attempt Deletion