Cross-Site Request Forgery in Tutor LMS Plugin <= 1.5.2 - Update Immediately
While testing the popular WordPress LMS plugin, Tutor LMS, I was able to find that the plugin is vulnerable to Cross-Site Request Forgery (CSRF). All WordPress websites using Tutor LMS version 1.5.2 and below are affected.
CVE ID: CVE-2020-8615
CWE ID: CWE-352
The Tutor LMS WordPress plugin is a feature-packed plugin that enables users to create and sell courses. CSRF is an attack a hacker can use to cause unintended action to occur on a site trusted by the victim and is authenticated on at the time of the attack.
Vulnerability reported to the Tutor LMS team on January 30, 2020.
Tutor LMS version 1.5.3 containing the fix to the vulnerability was released on February 4, 2020.
It is highly recommended to update the plugin to the latest version.
- Tutor LMS Changelog
For best security practices, you can follow the below guides: