CVE-2021-24242

Tutor LMS <= 1.8.7 - Authenticated Local File Inclusion

mediumImproper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

5.5

CVSS Score

5.5

CVSS Score

medium

Severity

1.8.8

Patched in

1023d

Time to patch

Description

The Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.8 is affected by a local file inclusion vulnerability through the maliciously constructed sub_page parameter of the plugin's Tools, allowing high privilege users to include any local php file

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

High

Confidentiality

Low

Integrity

Low

Availability

Technical Details

Affected versions<=1.8.7

PublishedApril 5, 2021

Last updatedJanuary 22, 2024

Affected plugintutor

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/76c0d4f8-230d-452a-b39d-cbcb0af0fd72?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database