Login Sign Up

CVE-2024-43231

6.5 MEDIUM
Cross-Site Scripting

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in the Tutor LMS WordPress plugin allows attackers to inject malicious scripts into web pages. When users view affected pages, the scripts execute in their browsers, potentially stealing credentials or performing unauthorized actions. This affects all Tutor LMS installations up to version 2.7.3.

💻 Affected Systems

Products:
  • WordPress Tutor LMS Plugin
Versions: n/a through 2.7.3
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: All WordPress installations with Tutor LMS plugin enabled are vulnerable. No special configuration required.

📦 What is this software?

Tutor Lms by Themeum

View all CVEs affecting Tutor Lms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, take over WordPress sites, install backdoors, or redirect users to malicious sites, leading to complete site compromise.

🟠

Likely Case

Attackers inject malicious JavaScript to steal user session cookies, perform actions as authenticated users, or deface website content.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before execution, preventing exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires attacker to have contributor-level access or ability to inject content. Public proof-of-concept exists showing injection vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.4 or later

Vendor Advisory: https://patchstack.com/database/vulnerability/tutor/wordpress-tutor-lms-plugin-2-7-3-cross-site-scripting-xss-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Tutor LMS and click 'Update Now'. 4. Verify version is 2.7.4 or higher.

🔧 Temporary Workarounds

Disable Tutor LMS Plugin

all

Temporarily disable the vulnerable plugin until patching is possible

wp plugin deactivate tutor

Implement WAF Rules

all

Configure web application firewall to block XSS payloads targeting Tutor LMS endpoints

🧯 If You Can't Patch

  • Restrict user roles to prevent untrusted users from creating or editing content
  • Implement Content Security Policy (CSP) headers to restrict script execution

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Tutor LMS. If version is 2.7.3 or lower, you are vulnerable.

Check Version:

wp plugin get tutor --field=version

Verify Fix Applied:

After updating, verify Tutor LMS version shows 2.7.4 or higher in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to Tutor LMS endpoints
  • JavaScript payloads in form submissions
  • Multiple failed XSS attempts

Network Indicators:

  • Malicious script tags in HTTP requests to /wp-content/plugins/tutor/
  • Unusual content injection patterns

SIEM Query:

source="wordpress.log" AND ("tutor" AND ("script" OR "javascript" OR "onerror" OR "onload"))

📊 Metadata

CVE ID: CVE-2024-43231
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
CWE: CWE-79
Published: August 12, 2024
Last Updated: January 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-43231, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)