[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fPQG0ga6DYOQDCcir-8OpTkhyXaCTIX525jDJqPJzb5M":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-23799","tutor-lms-elearning-and-online-course-solution-missing-authorization","Tutor LMS – eLearning and online course solution \u003C= 3.9.5 - Missing Authorization","The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.9.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.","tutor",null,"\u003C=3.9.5","3.9.6","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-25 00:00:00","2026-03-05 17:57:17",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F24009534-3a57-4ed3-b841-72e87e2a6925?source=api-prod",9,[],"researched",false,3,"This research plan focuses on **CVE-2026-23799**, a Missing Authorization vulnerability in **Tutor LMS** (\u003C= 3.9.5). The vulnerability allows a Subscriber-level user to execute privileged actions because a capability check is missing in an AJAX handler.\n\n### 1. Vulnerability Summary\nThe vulnerability exists in the plugin's handling of AJAX requests. Tutor LMS often uses a centralized AJAX dispatcher (frequently named `tutor_ajax`) or specific AJAX hooks (`wp_ajax_tutor_*`). The affected versions fail to verify if the authenticated user has the necessary permissions (e.g., `tutor_instructor` or `manage_options`) before executing logic that modifies database state, such as managing announcements, quizzes, or course settings.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Action:** `tutor_ajax` (dispatching to a vulnerable `tutor_action`) or a direct `wp_ajax_` hook.\n* **Vulnerable Parameter:** `tutor_action` (if using the dispatcher) or specific parameters related to the action (e.g., `course_id`, `announcement_id`).\n* **Authentication:** Subscriber-level access is required.\n* **Preconditions:** The attacker must be logged in and obtain a valid Tutor LMS AJAX nonce.\n\n### 3. Code Flow (Inferred)\n1. **Entry Point:** The plugin registers AJAX handlers in `classes\u002FAjax.php` or `classes\u002FInit.php` using `add_action( 'wp_ajax_tutor_ajax', ... )`.\n2. **Dispatcher:** The handler function (likely `Tutor\\Models\\Ajax::tutor_ajax`) retrieves the `tutor_action` from the `$_POST` request.\n3. **Missing Check:** The dispatcher checks the WordPress nonce (via `check_ajax_referer` or `wp_verify_nonce`) but fails to call `current_user_can()` to verify the user's role.\n4. **Action Execution:** The dispatcher calls a specific function (e.g., `tutor_announcement_create_or_update`) that performs the privileged operation.\n5. **Sink:** Database modification occurs via `$wpdb` or `update_post_meta`.\n\n### 4. Nonce Acquisition Strategy\nTutor LMS localizes its security tokens into the `tutor_get_conf` JavaScript object. To obtain a valid nonce as a Subscriber:\n\n1. **Setup:** Ensure a course exists and the Subscriber is logged in.\n2. **Navigation:** Navigate the browser to any Tutor LMS dashboard page or course page where the plugin's scripts are loaded.\n3. **Extraction:**\n * **JS Variable:** `tutor_get_conf`\n * **Nonce Key:** `nonce`\n * **Command:** `browser_eval(\"window.tutor_get_conf?.nonce\")`\n4. **Fallback:** If not in `tutor_get_conf`, check for `_tutor_nonce` in the global `window` scope or search the HTML source for `name=\"_tutor_nonce\"`.\n\n### 5. Exploitation Strategy\nWe will target an action that allows a Subscriber to create a Course Announcement, an action normally reserved for Instructors or Admins.\n\n* **Step 1:** Log in as a Subscriber.\n* **Step 2:** Obtain the nonce using the method in Section 4.\n* **Step 3:** Identify a target `course_id`.\n* **Step 4:** Send a crafted AJAX request to create an announcement.\n\n**HTTP Request (Example):**\n* **Method:** `POST`\n* **URL:** `https:\u002F\u002Ftarget.site\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n* **Body:**\n ```\n action=tutor_ajax&tutor_action=tutor_announcement_create_or_update&nonce=[NONCE]&course_id=[COURSE_ID]&announcement_title=Exploited&announcement_content=Unauthorized+Announcement\n ```\n\n### 6. Test Data Setup\n1. **Create Admin:** Already exists in environment.\n2. **Create Subscriber:**\n `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`\n3. **Create Course:**\n `wp post create --post_type=courses --post_title=\"Target Course\" --post_status=publish --post_author=1`\n *(Note: Capture the generated Post ID as `COURSE_ID`)*.\n4. **Verify Plugin State:** Ensure `tutor` plugin is active and version is \u003C= 3.9.5.\n\n### 7. Expected Results\n* **Response:** The server should return a JSON success message (e.g., `{\"success\":true,...}`).\n* **Impact:** A new announcement record is created in the database, associated with the specified `course_id`, despite the requester being a Subscriber.\n\n### 8. Verification Steps\nAfter the HTTP request, verify the creation of the announcement via WP-CLI:\n\n1. **Check for new post\u002Fcomment:** Tutor LMS often stores announcements as comments or custom post types.\n * Check comments: `wp comment list --post_id=[COURSE_ID]`\n * Check for specific metadata: `wp post meta list [COURSE_ID]`\n2. **Check Database directly:**\n `wp db query \"SELECT * FROM wp_posts WHERE post_title = 'Exploited' AND post_type = 'tutor_announcements'\"` (or relevant table).\n\n### 9. Alternative Approaches\nIf `tutor_announcement_create_or_update` is not the specific vulnerable action, try:\n* **tutor_place_order:** Attempt to enroll the subscriber in a course.\n* **tutor_mark_answer_as_correct:** Attempt to modify quiz results.\n* **tutor_quiz_builder_get_question_form:** Access internal quiz structures.\n\nIf the `tutor_ajax` dispatcher is not the entry point, look for specific AJAX hooks like `wp_ajax_tutor_save_quiz_answer_options` and test them directly using `action=tutor_save_quiz_answer_options`.","Tutor LMS version 3.9.5 and earlier fails to perform proper authorization checks in its centralized AJAX dispatcher or specific AJAX handlers. This allows authenticated users with Subscriber-level permissions to execute restricted functions, such as creating course announcements or modifying quiz settings, provided they possess a valid security nonce.","\u002F\u002F tutor\u002Fclasses\u002FAjax.php (Approximate logic in vulnerable versions)\n\npublic function tutor_ajax() {\n \u002F\u002F Nonce check is usually present\n check_ajax_referer('tutor_nonce', 'nonce');\n\n $action = isset($_POST['tutor_action']) ? sanitize_text_field($_POST['tutor_action']) : '';\n\n \u002F\u002F MISSING: current_user_can() check to ensure the user is an instructor or admin\n\n if (method_exists($this, $action)) {\n $this->$action();\n } elseif (is_callable($action)) {\n call_user_func($action);\n }\n \n wp_die();\n}","--- tutor\u002Fclasses\u002FAjax.php\n+++ tutor\u002Fclasses\u002FAjax.php\n@@ -10,6 +10,11 @@\n public function tutor_ajax() {\n check_ajax_referer('tutor_nonce', 'nonce');\n \n+ \u002F\u002F Added capability check to prevent unauthorized access\n+ if ( ! current_user_can('tutor_instructor') && ! current_user_can('manage_options') ) {\n+ wp_send_json_error( array( 'message' => __( 'Access Denied', 'tutor' ) ) );\n+ }\n+\n $action = isset($_POST['tutor_action']) ? sanitize_text_field($_POST['tutor_action']) : '';\n \n if (method_exists($this, $action)) {","1. Authentication: Log in to the WordPress site as a Subscriber-level user.\n2. Nonce Acquisition: Access the dashboard or any page where Tutor LMS scripts are loaded and extract the AJAX nonce from the JavaScript object `tutor_get_conf.nonce` or the `_tutor_nonce` HTML input.\n3. Identify Target Action: Choose a privileged Tutor LMS action typically restricted to instructors, such as 'tutor_announcement_create_or_update'.\n4. Payload Construction: Craft a POST request to `\u002Fwp-admin\u002Fadmin-ajax.php` with the parameters: `action=tutor_ajax`, `tutor_action=[TARGET_ACTION]`, `nonce=[NONCE]`, and action-specific data (e.g., `course_id`, `announcement_title`).\n5. Execution: Submit the request. Since the plugin fails to verify user capabilities beyond the nonce, the server will execute the privileged logic on behalf of the Subscriber.","gemini-3-flash-preview","2026-04-19 00:30:15","2026-04-19 00:32:02",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","3.9.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftutor\u002Ftags\u002F3.9.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftutor.3.9.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftutor\u002Ftags\u002F3.9.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftutor.3.9.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftutor\u002Ftags"]