While testing the popular WordPress LMS plugin, Tutor LMS, for one of Astra‘s clients, I was able to find that the plugin is vulnerable to Cross-Site Request Forgery (CSRF). All WordPress websites using Tutor LMS version 1.5.2 and below are affected.
The Tutor LMS WordPress plugin is a feature-packed plugin that enables users to create and sell courses. CSRF is an attack a hacker can use to cause unintended action to occur on a site trusted by the victim and is authenticated on at the time of the attack.
- Vulnerability reported to the Tutor LMS team – January 30, 2020.
- Tutor LMS version 1.5.3 containing the fix released – February 4, 2020.
It is highly recommended to update the plugin to the latest version.