CVE-2024-4279

Name of the Vulnerable Software and Affected Versions The Tutor LMS – eLearning and online course solution plugin for WordPress versions up to, and including, 2.7.0

Description The issue allows authenticated attackers with Instructor-level permissions and above to delete any course due to missing validation on a user-controlled key in the tutor course delete function. This can be exploited via the tutor course delete function.

Recommendations For versions up to, and including, 2.7.0, consider disabling the tutor course delete function until a patch is available to prevent arbitrary course deletion. Restrict access to the course deletion functionality to minimize the risk of exploitation.