Recently, the Astra Security team performed a security audit for the Tutor LMS plugin. While the overall result was good, there was an issue with CSRF attack protection. And today Tutor LMS has received a patch to fix this vulnerability.
What Was the Issue?
Researchers at Astra Security found Tutor LMS version 1.5.2 and below, vulnerable to CSRF attacks. Themeum team patched the issue and released a new version v1.5.3 of Tutor LMS.
Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog, instant message, or program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.
An attacker can use this vulnerability to approve themselves as an instructor or block other legit instructors. If the option to create courses without admin approval is enabled on the plugin’s settings page, the attacker would be able to create courses directly as well.
Now, this issue has been solved. You are highly recommended to update your Tutor LMS immediately.
Changelog of Tutor LMS v1.5.3
Here is the full changelog of Tutor LMS v1.5.3 for your convenience.
- Added: Go next automatically after finishing a lesson even when there is no video.
- Added: Nonce field in Add Instructor form to determine that the request is coming from the dedicated page.
- Security Update: Instructor approved/blocked by Ajax request in post method with the nonce check. In short, CSRF security vulnerability fixed.
We highly recommend updating to the latest version of Tutor LMS v1.5.3.
Update now, and start using the most secure LMS plugin (verified by Astra Security).