Cross-Site Request Forgery in Tutor LMS Plugin

Cross-Site Request Forgery in Tutor LMS Plugin

While testing the popular WordPress LMS plugin, Tutor LMS, for one of Astra‘s clients, I was able to find that the plugin is vulnerable to Cross-Site Request Forgery (CSRF). All WordPress websites using Tutor LMS version 1.5.2 and below are affected.



The Tutor LMS WordPress plugin is a feature-packed plugin that enables users to create and sell courses. CSRF is an attack a hacker can use to cause unintended action to occur on a site trusted by the victim and is authenticated on at the time of the attack.


  • Vulnerability reported to the Tutor LMS team – January 30, 2020.
  • Tutor LMS version 1.5.3 containing the fix released – February 4, 2020.


It is highly recommended to update the plugin to the latest version.


Written by
Jinson Varghese
Join the discussion


Make sure to subscribe to our newsletter and be the first to know the news.


Let’s get social

We are a team of dedicated professionals delivering high quality WordPress themes and plugins.