CVE-2024-3553
📋 TL;DR
This vulnerability in Tutor LMS WordPress plugin allows unauthenticated attackers to enable user registration on WordPress sites where it was previously disabled. It affects all Tutor LMS plugin versions up to 2.6.2. Attackers can exploit this to create unauthorized user accounts on vulnerable WordPress installations.
💻 Affected Systems
- Tutor LMS – eLearning and online course solution WordPress plugin
📦 What is this software?
Tutor Lms by Themeum
⚠️ Risk & Real-World Impact
Worst Case
Attackers enable user registration, create administrative accounts, and gain full control of the WordPress site, potentially leading to data theft, defacement, or malware installation.
Likely Case
Attackers enable user registration and create multiple user accounts, potentially for spam, credential stuffing, or initial access for further attacks.
If Mitigated
If user registration is already enabled or proper monitoring is in place, impact is limited to potential spam accounts or minor configuration changes.
🎯 Exploit Status
Simple HTTP request to vulnerable endpoint. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.0
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3076302/tutor/tags/2.7.0/classes/User.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Tutor LMS plugin. 4. Click 'Update Now' if available, or download version 2.7.0 from WordPress repository. 5. Activate updated plugin.
🔧 Temporary Workarounds
Disable Tutor LMS plugin
linuxTemporarily disable the vulnerable plugin until patched
wp plugin deactivate tutor
Web Application Firewall rule
allBlock requests to the vulnerable hide_notices function endpoint
Block HTTP POST requests to */wp-admin/admin-ajax.php with action=tutor_hide_notice
🧯 If You Can't Patch
- Implement strict network access controls to limit access to WordPress admin endpoints
- Enable detailed logging and monitoring for user registration changes and admin-ajax.php requests
🔍 How to Verify
Check if Vulnerable:
Check Tutor LMS plugin version in WordPress admin panel under Plugins → Installed PluginsCheck Version:
wp plugin get tutor --field=versionVerify Fix Applied:
Verify plugin version is 2.7.0 or higher, and test that unauthenticated requests to enable user registration fail📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /wp-admin/admin-ajax.php with action=tutor_hide_notice
- Unexpected changes to WordPress user registration settings
- Spike in new user registrations
Network Indicators:
- Unusual traffic patterns to WordPress admin-ajax.php endpoint from unauthenticated sources
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND post_data="action=tutor_hide_notice")🔗 References
- https://plugins.trac.wordpress.org/changeset/3076302/tutor/tags/2.7.0/classes/User.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f8d4029e-07b0-4ceb-ae6e-11a3f7416ebc?source=cve
- https://plugins.trac.wordpress.org/changeset/3076302/tutor/tags/2.7.0/classes/User.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f8d4029e-07b0-4ceb-ae6e-11a3f7416ebc?source=cve
