Tutor LMS Insecure Direct Object Reference Vulnerability Allowing Unauthorized Course Content Modification

A vulnerability exists in the Tutor LMS WordPress plugin, specifically in versions up to and including 3.9.7. The issue is an Insecure Direct Object Reference (IDOR) caused by missing authorization checks in the private method 'save_course_content_order()'. This method is invoked unconditionally by the 'tutor_update_course_content_order' AJAX handler. While the handler includes a management check for users, the 'save_course_content_order()' method processes JSON data related to lesson sorting without verifying user ownership or capabilities. As a result, authenticated attackers with Subscriber-level access or higher can manipulate course content by detaching lessons from topics, reordering lessons, and reassigning them between topics in any course, including those owned by administrators.

Impact

Exploitation of this vulnerability allows for unauthorized modification of course content, including reordering lessons and changing lesson assignments between topics, potentially disrupting course structure and management.

Remediation

Users are advised to update the Tutor LMS plugin to version 3.9.8 or a newer patched version.