Cross-Site Request Forgery in Tutor LMS Plugin for WordPress

CVE-2024-1503

Summary

The Tutor LMS plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) due to inadequate nonce validation in the erase_tutor_data() function. This vulnerability allows unauthenticated attackers to disable the plugin and erase course-related data, assuming they can trick an administrator into executing a malicious request, particularly if the 'Erase upon uninstallation' option is activated. Site administrators must be vigilant to avoid inadvertently executing harmful actions that could compromise their eLearning environments.

References