Unprotected AJAX Endpoints in Tutor LMS Plugin Allow Unauthorized Course Modifications and Privilege Escalation

Unprotected AJAX Endpoints in Tutor LMS Plugin Allow Unauthorized Course Modifications and Privilege Escalation

CVE-2021-24184 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Several AJAX endpoints in the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 were unprotected, allowing students to modify course information and elevate their privileges among many other actions.

Learn more about our Wordpress Pen Testing.