CVE-2024-4279
📋 TL;DR
This vulnerability allows authenticated attackers with Instructor-level permissions or higher in Tutor LMS WordPress plugin to delete any course without proper authorization. It affects WordPress sites using Tutor LMS versions up to 2.7.0. The issue stems from missing validation on user-controlled parameters in the course deletion function.
💻 Affected Systems
- Tutor LMS – eLearning and online course solution WordPress plugin
📦 What is this software?
Tutor Lms by Themeum
⚠️ Risk & Real-World Impact
Worst Case
Malicious instructors could delete all courses on the platform, causing complete loss of educational content and business disruption.
Likely Case
Disgruntled or compromised instructors delete courses they shouldn't have access to, causing content loss and requiring restoration from backups.
If Mitigated
With proper access controls and monitoring, unauthorized deletions are prevented or quickly detected and rolled back.
🎯 Exploit Status
Exploitation requires authenticated access with Instructor permissions. The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.1
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3086489/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Tutor LMS plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.7.1+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Remove Instructor permissions temporarily
allTemporarily downgrade all Instructor users to lower privilege roles until patching is complete.
Disable course deletion functionality
allUse WordPress hooks to disable the vulnerable tutor_course_delete function.
Add to theme's functions.php or custom plugin: add_filter('tutor_course_delete', '__return_false');
🧯 If You Can't Patch
- Implement strict access controls and monitor all course deletion activities
- Regularly backup course content and maintain restore procedures
🔍 How to Verify
Check if Vulnerable:
Check Tutor LMS plugin version in WordPress admin under Plugins → Installed Plugins. If version is 2.7.0 or lower, you are vulnerable.Check Version:
wp plugin list --name=tutor --field=versionVerify Fix Applied:
After updating, verify Tutor LMS version is 2.7.1 or higher. Test course deletion with Instructor role to ensure proper authorization checks.📡 Detection & Monitoring
Log Indicators:
- Multiple course deletion events from single instructor account
- Course deletions outside normal business hours
- Deletion of courses not owned by the deleting user
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=tutor_course_delete
- Unusual pattern of course deletion API calls
SIEM Query:
source="wordpress" AND (action="tutor_course_delete" OR message="*course*deleted*") | stats count by user, src_ip🔗 References
- https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course_List.php#L357
- https://plugins.trac.wordpress.org/changeset/3086489/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/45d04643-e43a-4732-91bf-e4af7b622e33?source=cve
- https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course_List.php#L357
- https://plugins.trac.wordpress.org/changeset/3086489/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/45d04643-e43a-4732-91bf-e4af7b622e33?source=cve
