PT-2021-15785 · WordPress · The Tutor Lms

Asa

Published

2021-04-22

Updated

2021-04-30

CVE-2021-24242

CVSS v2.0

5.5

Medium

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:N

Name of the Vulnerable Software and Affected Versions The Tutor LMS – eLearning and online course solution WordPress plugin versions prior to 1.8.8

Description A local file inclusion issue affects the plugin, allowing high privilege users to include any local php file through a maliciously constructed sub page parameter of the plugin's Tools.

Recommendations For versions prior to 1.8.8, update to version 1.8.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the Tools section of the plugin to minimize the risk of exploitation. Avoid using the sub page parameter in the affected plugin's Tools until the issue is resolved.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2021-24242

Affected Products

The Tutor Lms

PT-2021-15785 · WordPress · The Tutor Lms

CVE-2021-24242

Weakness Enumeration

Related Identifiers

Affected Products

References · 3