Critical Security Issue in Multisite

  • Resolved kenedyt

    (@kenedyt)


    1 year ago

    Hi Tutor LMS team,

    I’m currently working on a project that relies heavily on WordPress Multisite functionality, and I’m in the process of evaluating Tutor LMS as the core of our learning infrastructure.

    However, I’ve encountered a critical issue that poses both a security risk and a serious limitation in the use of Tutor LMS within a Multisite environment. Specifically, instructor accounts created on one site are visible and accessible on all other sites in the network. This not only bloats the instructor list, but—as another developer mentioned in this ww.wp.xz.cn thread (https://ww.wp.xz.cn/support/topic/instructor-accounts-leaked-on-other-sites-in-a-multisite-install/)—is a clear security concern, as it exposes private instructor contact information across unrelated subsites.

    This issue has been confirmed and reproduced by a professional developer I hired. In fact, the issue has already been resolved through custom development, and the fix works perfectly. The only thing missing is integrating this fix into the core of Tutor LMS so that it doesn’t get lost with each update.

    And here’s the critical part for me:
    With every Tutor LMS update, I’ll be forced to pay a developer again to reapply the same patch, because the fix is not part of the plugin core. This is not sustainable, and it significantly affects my decision to move forward with Tutor LMS as a long-term solution.

    It’s also worth noting that in one of your support threads (https://ww.wp.xz.cn/support/topic/multisite-support-410/), it was said that Tutor LMS works with Multisite environments if the license is activated on each site. However, a later reply from your team on another thread (https://ww.wp.xz.cn/support/topic/instructor-accounts-leaked-on-other-sites-in-a-multisite-install/) states:

    “At this time, Tutor LMS does not officially support WordPress Multisite environments.”

    This contradiction is concerning, especially since Multisite support is crucial for developers like me building scalable educational networks.

    I have two important questions:

    If I become a paying customer with an annual license, would this type of issue be treated with higher priority to be implemented ASAP?

    Is there a way to submit or collaborate on including the fix that’s already been developed into the core?

    I genuinely want to use Tutor LMS and I’m still in the testing phase, but this issue is serious enough to discourage me from moving forward unless I see a clear path for resolution. This is not a feature request—this is a structural issue and a security flaw, and I hope it can be treated with the urgency it deserves.

    Looking forward to your response.

    Best regards

Viewing 1 replies (of 1 total)
  • Maizul

    (@maizul)

    1 year ago

    Hi @kenedyt ,

    Thank you for your detailed feedback. To clarify, Tutor LMS is not currently compatible with WordPress Multisite, and we cannot guarantee stable behavior in that environment.

    We appreciate your custom fix, but core integration isn’t possible without a full internal review. You may email it to support at themeum dot com for consideration.

Viewing 1 replies (of 1 total)

The topic ‘Critical Security Issue in Multisite’ is closed to new replies.

  • 1 reply
  • 2 participants
  • Last reply from: Maizul
  • Last activity: 1 year ago
  • Status: resolved