Cross-Site Request Forgery in Tutor LMS Plugin for WordPress
CVE-2024-1503

Currently unrated

Key Information:

Vendor: Wordpress
Status: Tutor Lms
Vendor: CVE Published:; 21 March 2024

What is CVE-2024-1503?

The Tutor LMS plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) due to inadequate nonce validation in the erase_tutor_data() function. This vulnerability allows unauthenticated attackers to disable the plugin and erase course-related data, assuming they can trick an administrator into executing a malicious request, particularly if the 'Erase upon uninstallation' option is activated. Site administrators must be vigilant to avoid inadvertently executing harmful actions that could compromise their eLearning environments.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/tutor/trunk/cl...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 21, 2024

Wordpress

What is CVE-2024-1503?

References

Timeline