The plugin is affected by a local file inclusion vulnerability through the maliciously constructed sub_page parameter of the pluginβs Tools, allowing high privilege users to include any local php file
https://your.domain/wp-admin/admin.php?page=tutor-toolsβ_page=..%2F..%2F..%2F..%2F..%2F..%2Findex