Can you explain this vulnerability to me?

The vulnerability exists in the Tutor LMS WordPress plugin up to version 3.9.7, where unauthorized private course enrollment is possible.

This happens because the functions responsible for enrollment (`enroll_now()` and `course_enrollment()`) do not validate the course's post_status to check if it is private.

Although the plugin verifies nonce, user authentication, and whether the course is purchasable, it fails to restrict enrollment to users with the proper capability to access private courses.

As a result, authenticated users with Subscriber-level access or higher can enroll in private courses by sending a specially crafted POST request with the course ID.

While the actual course content remains inaccessible (returns 404 due to WordPress core access control), the enrollment record and private course title become visible on the subscriber's dashboard.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows authenticated users with Subscriber-level access or above to enroll in private courses without proper authorization due to missing validation of the course's private status.

Although the actual course content remains protected by WordPress core access controls (returning 404 errors), the exposure of private course titles and enrollment status in the subscriber's dashboard could lead to unauthorized disclosure of sensitive information.

Such unauthorized exposure of private data may impact compliance with data protection regulations like GDPR or HIPAA, which require strict control over access to personal or sensitive information.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability allows unauthorized users with Subscriber-level access or above to enroll in private courses without proper permission.

Although they cannot view the actual course content due to WordPress core restrictions, they gain visibility of private course titles and enrollment status.

This exposure could lead to information disclosure about private courses and unauthorized enrollment records in the database.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for unauthorized POST requests to the enrollment endpoints of the Tutor LMS plugin that include course IDs of private courses.

Specifically, detection involves checking for POST requests to the functions `enroll_now()` and `course_enrollment()` where the user is authenticated with Subscriber-level access or above, but is enrolling in courses marked with a private post_status.

You can use network monitoring tools or web server logs to identify such suspicious POST requests.

• Use command-line tools like `grep` on web server logs to find POST requests to enrollment endpoints with course IDs, for example: `grep 'POST.*enroll_now' /var/log/apache2/access.log`
• Use tools like `curl` or `httpie` to simulate POST requests and verify if enrollment in private courses is possible without proper authorization.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to update the Tutor LMS plugin to a version later than 3.9.7 where this vulnerability is fixed.

If an update is not immediately possible, restrict access to the enrollment endpoints by implementing additional access controls that verify the `post_status` of courses before allowing enrollment.

Additionally, monitor and block suspicious POST requests attempting to enroll users in private courses.

Ensure that only users with the `read_private_posts` capability can enroll in private courses, as intended by the plugin design.

Useful 0 Not Useful 0