CVE-2021-24184: 
WordPress vulnerability analysis and mitigation

CVE-2021-24184 is a security vulnerability discovered in the Tutor LMS WordPress plugin affecting versions below 1.7.7. The vulnerability was publicly disclosed on March 15, 2021, and involves unprotected AJAX endpoints that could lead to privilege escalation. The issue was discovered by security researcher Chloe Chamberland (Wordfence, WPScan).

The vulnerability has been assigned a CVSS score of 8.1 (High) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. It is classified under CWE-269, relating to improper privilege management. The technical issue stems from several AJAX endpoints in the plugin that were left unprotected, which could allow students to modify course information and elevate their privileges (Wordfence).

The vulnerability allows students to modify course information and potentially elevate their privileges to higher access levels within the system. This could lead to unauthorized access to sensitive course materials and administrative functions (WPScan).

The vulnerability has been patched in Tutor LMS version 1.7.7. Site administrators are strongly advised to update to this version or later to protect against potential exploitation (Wordfence).