Cross-Site Request Forgery in Tutor LMS Plugin

Cross-Site Request Forgery in Tutor LMS Plugin

While testing the popular WordPress LMS plugin, Tutor LMS, for one of Astra‘s clients, I was able to find that the plugin is vulnerable to Cross-Site Request Forgery (CSRF). All WordPress websites using Tutor LMS version 1.5.2 and below are affected.

CVE-2020-8615

Summary

The Tutor LMS WordPress plugin is a feature-packed plugin that enables users to create and sell courses. CSRF is an attack a hacker can use to cause unintended action to occur on a site trusted by the victim and is authenticated on at the time of the attack.

Timeline

  • Vulnerability reported to the Tutor LMS team – January 30, 2020.
  • Tutor LMS version 1.5.3 containing the fix released – February 4, 2020.

Recommendation

It is highly recommended to update the plugin to the latest version.

Reference

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8615
https://nvd.nist.gov/vuln/detail/CVE-2020-8615
https://wpvulndb.com/vulnerabilities/10058
https://wordpress.org/plugins/tutor/#developers

Written by
Jinson Varghese
Join the discussion

Newsletter

Make sure to subscribe to our newsletter and be the first to know the news.

Topics

Let’s get social

We are a team of dedicated professionals delivering high quality WordPress themes and plugins.