CVE-2024-1503 in Tutor LMS Plugininfo

Summary

by MITRE • 03/21/2024

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.1. This is due to missing or incorrect nonce validation on the erase_tutor_data() function. This makes it possible for unauthenticated attackers to deactivate the plugin and erase all data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This requires the "Erase upon uninstallation" option to be enabled.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 04/13/2026

The vulnerability identified as CVE-2024-1503 affects the Tutor LMS plugin for WordPress, a widely used eLearning platform that enables educators to create and manage online courses. This particular weakness resides within the plugin's handling of data erasure functionality, specifically in the erase_tutor_data() function that manages the removal of all course-related information when the plugin is uninstalled. The issue manifests as a cross-site request forgery vulnerability that undermines the security controls designed to protect against unauthorized administrative actions. The vulnerability impacts all versions of the plugin up to and including version 2.6.1, making it a significant concern for WordPress site administrators who rely on this popular educational platform.

The technical flaw stems from the absence of proper nonce validation within the erase_tutor_data() function, which represents a fundamental security oversight in the plugin's code implementation. Nonces serve as cryptographic tokens that verify the authenticity of requests and prevent unauthorized operations from being executed. In this case, the missing validation allows malicious actors to craft forged HTTP requests that appear to originate from legitimate administrative sessions. The vulnerability requires the specific "Erase upon uninstallation" option to be enabled for exploitation to be possible, but this condition does not make the vulnerability any less dangerous. According to CWE-352, this represents a classic cross-site request forgery vulnerability where the attacker can manipulate the victim's browser into performing unwanted actions without their knowledge or consent, directly violating the principle of least privilege in security design.

The operational impact of this vulnerability extends beyond simple data loss, as it provides attackers with the ability to completely disable the plugin and erase all associated course data, potentially causing significant disruption to educational institutions and online learning platforms. The attack requires social engineering to trick administrators into clicking malicious links, but once successful, it can result in permanent data deletion and operational downtime. This type of vulnerability particularly affects organizations that depend on continuous access to their learning management systems, as the unauthorized erasure of course content could impact thousands of students and educators. The attack vector aligns with ATT&CK technique T1484.001, which describes the exploitation of weak controls to gain unauthorized access to administrative functions, potentially leading to broader system compromise. The vulnerability's exploitation could result in complete loss of educational content, disruption of learning schedules, and potential regulatory compliance issues for institutions that must maintain course data for audit purposes.

The recommended mitigation strategy involves immediate patching of the affected plugin to version 2.6.2 or later, which should contain the necessary nonce validation fixes. Site administrators should also review their plugin configurations to ensure that the "Erase upon uninstallation" option is disabled unless absolutely necessary, as this condition is required for the vulnerability to be exploitable. Additionally, implementing proper security monitoring and access controls can help detect unauthorized administrative actions. Organizations should consider maintaining regular backups of their course data and implementing multi-factor authentication for administrative accounts to reduce the risk of unauthorized access. Network segmentation and web application firewalls can provide additional layers of protection against such attacks. The vulnerability demonstrates the critical importance of validating all user inputs and implementing proper authentication mechanisms, particularly for functions that perform destructive operations on system data, as outlined in the OWASP Top Ten security principles and the NIST Cybersecurity Framework.

Responsible

Wordfence

Reservation

02/14/2024

Disclosure

03/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00220

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!