Tutor LMS Sensitive Information Exposure Vulnerability in Coupon Details AJAX Action

A vulnerability allowing sensitive information exposure has been identified in the Tutor LMS WordPress plugin, in all versions through 3.9.5. The issue arises from inadequate authorization checks in the 'ajax_coupon_details' function, which only validates nonces without verifying user capabilities. This flaw enables authenticated attackers with Subscriber-level access and above to access confidential coupon information, such as coupon codes, discount amounts, usage statistics, and details about applicable courses or bundles.

Impact

Exploitation of this vulnerability allows authenticated users with Subscriber-level access and above to access sensitive coupon information, including coupon codes, discount amounts, usage statistics, and course or bundle applications.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'tutor_coupon_details' AJAX action. The request must include a valid nonce, but the absence of proper authorization checks allows the user to retrieve sensitive coupon information without the necessary permissions.

Remediation

Users are advised to update the Tutor LMS WordPress plugin to version 3.9.6 or a newer patched version.