CVE-2021-24184
📋 TL;DR
This vulnerability in Tutor LMS WordPress plugin allows students to access unprotected AJAX endpoints, enabling them to modify course information and escalate privileges. It affects WordPress sites using Tutor LMS for eLearning functionality. Attackers can perform unauthorized actions that should be restricted to instructors or administrators.
💻 Affected Systems
- Tutor LMS - eLearning and online course solution WordPress plugin
📦 What is this software?
Tutor Lms by Themeum
⚠️ Risk & Real-World Impact
Worst Case
Attackers could gain administrative access to the WordPress site, modify all courses, steal student data, or install backdoors for persistent access.
Likely Case
Students could modify their own grades, access premium content without payment, or tamper with course materials they shouldn't have access to.
If Mitigated
With proper access controls and monitoring, unauthorized actions would be detected and blocked before causing significant damage.
🎯 Exploit Status
Exploitation requires student-level access but is straightforward once authenticated. Public proof-of-concept code exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.7 and later
Vendor Advisory: https://wordpress.org/plugins/tutor/
Restart Required: No
Instructions:
1. Log into WordPress admin dashboard
2. Navigate to Plugins → Installed Plugins
3. Find Tutor LMS plugin
4. Click 'Update Now' if update available
5. If manual update needed: download version 1.7.7+ from WordPress.org, deactivate old version, upload new version, activate plugin
🔧 Temporary Workarounds
Disable vulnerable endpoints via .htaccess
linuxBlock access to vulnerable AJAX endpoints at web server level
# Add to .htaccess in WordPress root directory
RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php
RewriteCond %{QUERY_STRING} action=tutor.*
RewriteRule ^ - [F]
Temporarily disable plugin
allDeactivate Tutor LMS plugin until patched
wp plugin deactivate tutor-lms
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the WordPress instance
- Enable detailed logging and monitoring for suspicious AJAX requests to tutor endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Tutor LMS → Version number. If version is below 1.7.7, system is vulnerable.Check Version:
wp plugin get tutor-lms --field=versionVerify Fix Applied:
After updating, verify version shows 1.7.7 or higher in WordPress plugins list. Test student accounts cannot access instructor-only AJAX endpoints.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with tutor_* actions from student accounts
- Multiple failed authorization attempts on tutor endpoints
- Course modifications from non-instructor accounts
Network Indicators:
- HTTP POST requests to admin-ajax.php with tutor-specific actions from unexpected user roles
- Unusual traffic patterns to WordPress AJAX endpoints
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND (query="*action=tutor_*" OR post_data="*action=tutor_*") AND user_role="subscriber" OR user_role="student"🔗 References
- https://wpscan.com/vulnerability/5e85917c-7a58-49cb-b8b3-05aa18ffff3e
- https://www.wordfence.com/blog/2021/03/several-vulnerabilities-patched-in-tutor-lms-plugin/
- https://wpscan.com/vulnerability/5e85917c-7a58-49cb-b8b3-05aa18ffff3e
- https://www.wordfence.com/blog/2021/03/several-vulnerabilities-patched-in-tutor-lms-plugin/
