[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ftm2RtuEO8iQLbFVpr2aYypayt99b5K6YIQHRP6zILQY":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-40743","tutor-lms-elearning-and-online-course-solution-missing-authorization-2","Tutor LMS – eLearning and online course solution \u003C= 3.9.7 - Missing Authorization","The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.9.7. This makes it possible for unauthenticated attackers to perform an unauthorized action.","tutor",null,"\u003C=3.9.7","3.9.8","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-20 00:00:00","2026-04-30 15:02:05",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe4482f92-024d-402d-9cf3-c4709f23baf0?source=api-prod",11,[],"researched",false,3,"This research plan targets **CVE-2026-40743**, a Missing Authorization vulnerability in Tutor LMS (\u003C= 3.9.7). The vulnerability allows unauthenticated attackers to perform unauthorized actions, typically via AJAX endpoints that fail to implement `current_user_can()` checks.\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Missing Authorization\n*   **Affected Component:** AJAX handlers registered via `wp_ajax_nopriv_` (unauthenticated) or `wp_ajax_` (authenticated) that lack internal capability checks.\n*   **Root Cause:** The plugin registers a sensitive action (likely related to course management, instructor settings, or system configuration) and fails to verify if the requesting user has the necessary permissions (e.g., `manage_options` or `tutor_instructor`) before performing a state-changing operation.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action Name:** To be determined via discovery (likely `tutor_ajax_...` or a registration-related action).\n*   **Authentication:** None (Unauthenticated).\n*   **Parameter:** `action`, `_tutor_nonce` (or similar), and action-specific data parameters.\n*   **Preconditions:** The plugin must be active. If the vulnerability involves course enrollment, at least one course must exist.\n\n### 3. Code Flow (Inferred\u002FDiscovery Path)\n1.  **Entry Point:** An AJAX request is sent to `admin-ajax.php` with `action=[VULNERABLE_ACTION]`.\n2.  **Hook Registration:** The plugin defines the hook in a class like `TUTOR\\Ajax` or within `classes\u002FAjax.php` using:\n    `add_action( 'wp_ajax_nopriv_[VULNERABLE_ACTION]', array( $this, '[CALLBACK_FUNCTION]' ) );`\n3.  **Nonce Validation:** The callback likely calls `check_ajax_referer()` or `wp_verify_nonce()`. If a nonce is required, it must be retrieved from the frontend (see Section 4).\n4.  **Vulnerable Sink:** The `[CALLBACK_FUNCTION]` proceeds to update the database (e.g., `update_option`, `wp_update_user`, or `$wpdb->update`) without calling `current_user_can()`.\n\n### 4. Nonce Acquisition Strategy\nTutor LMS frequently localizes configuration data and nonces into a global JavaScript object named `tutor_get_conf`.\n\n1.  **Identify Trigger:** Nonces are typically loaded on pages where Tutor LMS functionality is present (e.g., the Course Archive or a single Course page).\n2.  **Setup:** Create a dummy course to ensure the scripts are enqueued.\n    *   `wp post create --post_type=courses --post_title=\"Exploit Test\" --post_status=publish`\n3.  **Extraction:**\n    *   Navigate to the homepage or the newly created course page.\n    *   Use `browser_eval` to extract the nonce:\n        `browser_eval(\"window.tutor_get_conf?.nonce\")`\n    *   If that fails, check for other common Tutor LMS keys: `window.tutor_get_conf?.tutor_nonce` or `window.TutorLMSConfig?.nonce`.\n\n### 5. Exploitation Strategy\nThe specific vulnerable action needs to be identified. Based on common \"Missing Authorization\" flaws in Tutor LMS, we will test for unauthorized instructor registration or settings modification.\n\n#### Phase A: Discovery\nSearch the plugin code for unauthenticated AJAX actions that perform updates:\n```bash\ngrep -rn \"wp_ajax_nopriv_\" wp-content\u002Fplugins\u002Ftutor\u002F | grep -v \"get_\\|load_\"\n```\n*Note: Focus on actions that call functions involving `update`, `delete`, `reset`, or `insert`.*\n\n#### Phase B: Execution (Example: Unauthorized Setting Update)\n*Assuming the vulnerable action is `tutor_place_order` (unauthorized enrollment) or a settings reset.*\n\n**Request Template:**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=[IDENTIFIED_ACTION]&\n    _tutor_nonce=[EXTRACTED_NONCE]&\n    [PAYLOAD_PARAM]=[VALUE]\n    ```\n\n### 6. Test Data Setup\n1.  **Install Tutor LMS:** Ensure version 3.9.7 is installed.\n2.  **Create Course:**\n    ```bash\n    wp post create --post_type=courses --post_title=\"Target Course\" --post_status=publish\n    ```\n3.  **Identify Course ID:** Use `wp post list --post_type=courses` to get the ID.\n4.  **Check Registration Settings:** Ensure \"Anyone can register\" is enabled in WP settings if testing user-related actions.\n\n### 7. Expected Results\n*   **Success:** The server returns a successful response (often JSON `{\"success\": true}`) and the state change is reflected in the database.\n*   **Failure:** The server returns `403 Forbidden`, `-1`, or a JSON error indicating \"Permission Denied\".\n\n### 8. Verification Steps\nAfter sending the exploit request, verify the impact using WP-CLI:\n1.  **If Enrollment Exploit:** Check if the unauthenticated \"session\" (or a target user) is now enrolled.\n    ```bash\n    wp db query \"SELECT * FROM wp_posts WHERE post_type = 'tutor_enrolled'\"\n    ```\n2.  **If Settings Exploit:** Check the target option value.\n    ```bash\n    wp option get [TARGET_OPTION_NAME]\n    ```\n3.  **If User Promotion Exploit:** Check the user capabilities.\n    ```bash\n    wp user list --role=tutor_instructor\n    ```\n\n### 9. Alternative Approaches\nIf the `nopriv` handlers are all properly authorized, investigate:\n1.  **Subscriber-level Authorization:** Many Tutor LMS actions are registered for `wp_ajax_` (authenticated) but only check for \"logged in\" status rather than specific capabilities.\n    *   Create a Subscriber user: `wp user create attacker attacker@example.com --role=subscriber`.\n    *   Obtain a nonce while logged in as Subscriber.\n    *   Attempt to access Instructor-level or Admin-level AJAX actions.\n2.  **REST API Endpoints:** Check `register_rest_route` calls in Tutor LMS for missing `permission_callback` values.\n    ```bash\n    grep -rn \"register_rest_route\" wp-content\u002Fplugins\u002Ftutor\u002F -A 5\n    ```","The Tutor LMS plugin for WordPress is vulnerable to unauthorized access in versions up to and including 3.9.7. This vulnerability arises because specific AJAX handlers lack internal capability checks, enabling unauthenticated attackers to execute unauthorized actions such as modifying course settings or instructor-level configurations.","1. Identify the targeted AJAX action registered via 'wp_ajax_nopriv_' or 'wp_ajax_' that lacks a 'current_user_can()' check within its callback function.\n2. Navigate to the site's frontend (e.g., a course page) and extract a valid security nonce from the 'tutor_get_conf' or 'TutorLMSConfig' global JavaScript object.\n3. Send a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter, the extracted nonce, and any required payload data for the unauthorized function.\n4. Confirm execution by verifying changes to the plugin's configuration, user roles, or course data without the necessary administrative privileges.","gemini-3-flash-preview","2026-05-04 19:47:50","2026-05-04 19:49:50",{"type":32,"vulnerable_version":33,"fixed_version":11,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":36,"fixed_zip":37,"all_tags":38},"plugin","3.9.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftutor\u002Ftags\u002F3.9.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftutor.3.9.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftutor\u002Ftags\u002F3.9.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftutor.3.9.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftutor\u002Ftags"]