WordPress Plugin Vulnerabilities

Tutor LMS < 2.7.2 - Authenticated (Admin+) Path Traversal

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with Administrator-level access and above, to perform actions on files outside of the originally intended directory.

Affects Plugins

Plugin icon
tutor
Fixed in 2.7.2

References

CVE
CVE-2024-37266
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/c0c293db-5526-4600-838a-6e88586926c4

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
2.7 (low)

Miscellaneous

Original Researcher
filime
Verified
No
WPVDB ID
49725821-077b-43d4-b62d-4616f67917fa

Timeline

Publicly Published
2024-06-27 (about 1 year ago)
Added
2024-07-03 (about 1 year ago)
Last Updated
2024-07-03 (about 1 year ago)

Other

Published
Title
Published
2026-04-07
Title
Advanced Members for ACF < 1.2.6 - Authenticated (Subscriber+) Arbitrary File Deletion via Path Traversal
Published
2026-04-14
Title
Eleganzo < 1.3 - Authenticated (Subscriber+) Arbitrary Directory Deletion
Published
2018-06-12
Title
Redirection < 2.8 - Authenticated Local File Inclusion
Published
2025-08-14
Title
Barcode Scanner with Inventory & Order Manager < 1.9.1 - Authenticated (Admin+) Arbitrary File Download
Published
2025-03-19
Title
Order Export & Order Import for WooCommerce < 2.6.1 - Directory Traversal to Authenticated (Administrator+) Limited Arbitrary File Read via download_file Function