A high-severity vulnerability has been identified in the Tutor LMS WordPress plugin, which could allow authenticated attackers to access or modify data that they are not authorized to view. This Insecure Direct Object Reference (IDOR) flaw could lead to the exposure of sensitive user information, unauthorized changes to course content, and potential data breaches. Organizations using this plugin are at significant risk of data compromise and operational disruption.

The vulnerability is an Insecure Direct Object Reference (IDOR). This occurs when the application uses user-supplied input to access objects directly without performing proper authorization checks. An authenticated attacker, even with low-level privileges, could exploit this by manipulating identifiers in URL parameters or API requests (e.g., changing a course_id or user_id value) to access or modify data belonging to other users, such as student profiles, private course materials, or administrative settings.

This vulnerability is rated as High severity with a CVSS score of 8.1. Successful exploitation could lead to significant business consequences, including the unauthorized disclosure of sensitive student and instructor data, violating data privacy regulations like GDPR. Attackers could also modify or delete course content, disrupting educational services and causing reputational damage. The financial impact could stem from regulatory fines, loss of customer trust, and the cost of incident response and data recovery.

Immediate Action: Immediately update the "Tutor LMS – eLearning and online course solution" plugin to the latest version available from the vendor, which addresses this vulnerability. After updating, review all WordPress security settings, user roles, and permissions to ensure they follow the principle of least privilege. Remove any plugins or themes that are no longer necessary to reduce the overall attack surface.

Proactive Monitoring: Monitor web server and application logs for suspicious activity. Specifically, look for patterns indicative of IDOR exploitation, such as a single authenticated user session making numerous requests with sequentially incrementing numerical identifiers in parameters. Implement alerts for unusual access to sensitive resources or bulk data access attempts.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to detect and block common IDOR attack patterns. Restrict access to the application to trusted IP ranges where possible and enforce strict access controls to limit the potential impact of a compromised low-privilege account.

Public Exploit Available: Not known at this time.

Given the high CVSS score of 8.1 and the direct risk to sensitive user data, we strongly recommend that all organizations using the Tutor LMS plugin apply the vendor-supplied patch immediately. This vulnerability should be treated as a high priority for remediation. Although not currently listed on the CISA KEV list, its potential for data exfiltration and business disruption warrants urgent attention to prevent potential exploitation.