Tutor LMS Private Course Enrollment Vulnerability

A vulnerability exists in the Tutor LMS WordPress plugin, allowing unauthorized enrollment in private courses. This issue affects all versions up to and including 3.9.7. The vulnerability arises from a lack of validation for the post status in the 'enroll_now()' and 'course_enrollment()' functions. While these functions check the nonce, user authentication, and course purchasability, they neglect to verify if a course is marked as private. As a result, authenticated users with Subscriber-level access or higher can enroll in private courses by sending a crafted POST request with the course ID. Although the enrollment is recorded in the database and the course title and enrollment status are visible in the subscriber's dashboard, WordPress's core access controls prevent subscribers from accessing the actual course content, which results in a 404 error. Enrollment in private courses should be limited to users with the 'read_private_posts' capability.

Impact

Exploitation of this vulnerability allows for unauthorized enrollment in private courses, creating a record of enrollment in the database and disclosing the private course title and enrollment status in the subscriber's dashboard.

Remediation

Users are advised to update the Tutor LMS WordPress plugin to version 3.9.8 or a newer patched version.