CVE-2023-3133: 
WordPress vulnerability analysis and mitigation

The Tutor LMS WordPress plugin versions before 2.2.1 contained a security vulnerability identified as CVE-2023-3133. The vulnerability was discovered on June 12, 2023, and affected the plugin's REST API endpoints, which lacked adequate permission checks. This security flaw impacted websites using the Tutor LMS plugin for WordPress, specifically affecting the course lesson access control mechanism (WPScan).

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) issue and falls under the OWASP Top 10 category A5: Broken Access Control. It received a CVSS score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating high confidentiality impact with network access vector and no privileges required (NVD).

The vulnerability allowed unauthenticated attackers to access information from Lessons that should not be publicly available. This means that even when course visibility settings were configured to require student login, unauthorized users could still access restricted course content through the REST API endpoints (WPScan).

The vulnerability was patched in Tutor LMS version 2.2.1. Website administrators running affected versions should update to version 2.2.1 or later to protect against unauthorized access to course content (WPScan).