CVE-2024-1133

Name of the Vulnerable Software and Affected Versions The Tutor LMS – eLearning and online course solution plugin for WordPress versions up to, and including, 2.6.0

Description The issue allows authenticated attackers with subscriber access or higher to interact with questions in courses they are not enrolled in, including private courses, due to a missing capability check when interacting with questions.

Recommendations For versions up to, and including, 2.6.0, update to a version higher than 2.6.0 to resolve the issue. As a temporary workaround, consider restricting access to the Q&A content for users who are not enrolled in the respective courses.