WordPress Plugin Vulnerabilities

Tutor LMS – eLearning and online course solution < 2.6.2 - Cross-Site Request Forgery to Plugin Deactivation and Data Erase

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.1. This is due to missing or incorrect nonce validation on the erase_tutor_data() function. This makes it possible for unauthenticated attackers to deactivate the plugin and erase all data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This requires the "Erase upon uninstallation" option to be enabled.

Affects Plugins

Plugin icon
tutor
Fixed in 2.6.2

References

CVE
CVE-2024-1503
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/050647a8-6743-46e4-b31c-0b5bd4a1007f

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
00ba773b-cd90-4da8-bff5-68fa38f6de1d

Timeline

Publicly Published
2024-03-12 (about 2 years ago)
Added
2024-03-12 (about 2 years ago)
Last Updated
2024-03-12 (about 2 years ago)

Other

Published
Title
Published
2022-08-02
Title
WP Hotel Booking < 1.10.6 - CSRF
Published
2022-05-23
Title
Private Files <= 0.40 - Protection Disabling via CSRF
Published
2025-04-09
Title
Buddypress Humanity <= 1.2 - Cross-Site Request Forgery to Privilege Escalation
Published
2024-08-26
Title
WP Armour Extended < 1.32 - Cross-Site Request Forgery
Published
2024-03-26
Title
RegistrationMagic < 5.3.1.0 - Cross-Site Request Forgery