CVE-2024-37266: 
WordPress vulnerability analysis and mitigation

A Path Traversal vulnerability (CVE-2024-37266) was discovered in Themeum's Tutor LMS WordPress plugin affecting versions up to 2.7.1. The vulnerability was disclosed on June 27, 2024, and was subsequently patched in version 2.7.2 (Patchstack).

The vulnerability is classified as an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') issue. It received a CVSS v3.1 base score of 7.2 (HIGH) from NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, while Patchstack assigned it a CVSS score of 4.9 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability could potentially allow an authenticated attacker with administrative privileges to perform local file inclusion attacks. This could enable the attacker to access and view the contents of local files on the target website, potentially including sensitive information such as database credentials (Patchstack).

Users are advised to update to Tutor LMS version 2.7.2 or later to remediate this vulnerability. The security issue has been assessed as having a low severity impact and is considered unlikely to be exploited (Patchstack).