Tutor LMS <= 2.7.4 - Cross-Site Request Forgery via 'addon_enable_disable'
CVE-2023-2919
4.3MEDIUM
Key Information:
- Vendor
Wordpress
- Vendor
- CVE Published:
- 10 September 2024
What is CVE-2023-2919?
The Tutor LMS plugin for WordPress has a vulnerability that allows Cross-Site Request Forgery due to improper nonce validation within the 'addon_enable_disable' functionality. This issue affects versions up to and including 2.7.4 and permits unauthenticated attackers to alter addon states by tricking a site administrator into unintentionally performing a specific action, such as clicking on a malicious link. As a result, critical functions within the plugin could be maliciously manipulated without proper authorization.
Affected Version(s)
Tutor LMS – eLearning and online course solution * <= 2.7.4