The plugin does not implement adequate permission checks for REST API endpoints, allowing unauthenticated attackers to access information from Lessons that should not be publicly available.
1. Create a new Course, add a Topic, and add a Lesson to the Topic.
2. In Tutor LMS > Settings > Course, ensure that "Course Visibility" is toggled to "On" (Students must be logged in to view course)
3. Run the following curl command to get the ID of the course:
curl http://SITE_URL/wp-json/tutor/v1/courses
4. Using the Course ID, run the following curl command to get the ID of the Topic:
curl http://SITE_URL/wp-json/tutor/v1/course-topic/<course-id>
5. Using the Topic ID, run the following curl command to get all of the data from the Lesson, without being logged in:
curl http://SITE_URL/wp-json/tutor/v1/lesson/<topic-id>