CVE-2024-10897
📋 TL;DR
The Tutor LMS Elementor Addons WordPress plugin has a missing capability check that allows authenticated users with Subscriber-level access or higher to install Elementor or Tutor LMS plugins. This vulnerability affects all versions up to and including 2.1.5. The impact is limited because these plugins are typically already installed as dependencies.
💻 Affected Systems
- Tutor LMS Elementor Addons WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could install malicious plugins or manipulate existing plugin installations, potentially leading to privilege escalation, backdoor installation, or site compromise.
Likely Case
Limited impact since Elementor and Tutor LMS are usually already installed; attackers might waste resources or cause minor disruption.
If Mitigated
With proper user role management and security monitoring, impact would be minimal to none.
🎯 Exploit Status
Exploitation requires authenticated access with at least Subscriber privileges. The vulnerability is in the install_etlms_dependency_plugin() function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.6 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3186320/tutor-lms-elementor-addons/trunk/classes/Installer.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Tutor LMS Elementor Addons'. 4. Click 'Update Now' if available, or download version 2.1.6+ from WordPress repository. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily disable or remove the Tutor LMS Elementor Addons plugin until patched
wp plugin deactivate tutor-lms-elementor-addons
wp plugin delete tutor-lms-elementor-addons
Restrict user roles
allLimit Subscriber-level user creation and review existing low-privilege accounts
🧯 If You Can't Patch
- Disable the Tutor LMS Elementor Addons plugin completely
- Implement strict user role management and monitor plugin installation logs
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins, or run: wp plugin get tutor-lms-elementor-addons --field=versionCheck Version:
wp plugin get tutor-lms-elementor-addons --field=versionVerify Fix Applied:
Confirm plugin version is 2.1.6 or higher, or check that the install_etlms_dependency_plugin() function includes proper capability checks📡 Detection & Monitoring
Log Indicators:
- WordPress plugin installation logs from non-admin users
- Unexpected plugin activation events in WordPress debug logs
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action=install_etlms_dependency_plugin
SIEM Query:
source="wordpress" AND (event="plugin_install" OR event="plugin_activate") AND user_role="subscriber"🔗 References
- https://plugins.trac.wordpress.org/browser/tutor-lms-elementor-addons/trunk/classes/Installer.php#L152
- https://plugins.trac.wordpress.org/changeset/3186320/tutor-lms-elementor-addons/trunk/classes/Installer.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/99edd858-5e2c-4cc5-adda-d8e70ddc86f6?source=cve
