While testing the popular WordPress LMS plugin, Tutor LMS, I was able to find that the plugin is vulnerable to Cross-Site Request Forgery (CSRF). All WordPress websites using Tutor LMS version 1.5.2 and below are affected.

CVE ID: CVE-2020-8615
CWE ID: CWE-352

Summary

The Tutor LMS WordPress plugin is a feature-packed plugin that enables users to create and sell courses. CSRF is an attack a hacker can use to cause unintended action to occur on a site trusted by the victim and is authenticated on at the time of the attack.

Timeline

Vulnerability reported to the Tutor LMS team on January 30, 2020.
Tutor LMS version 1.5.3 containing the fix to the vulnerability was released on February 4, 2020.

Recommendation

It is highly recommended to update the plugin to the latest version.

Reference

For best security practices, you can follow the below guides:

Was this post helpful?

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Jinson Varghese

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling.You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.

2 Comments

  1. Hi,

    I am from Tutor LMS team. We can not thank you enough Astra team! 😃
    We appreciate your help in testing the issues in the plugin and helping us to fix those so fast.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Free Website Security Scanner

Close