Wordfence Threat Intelligence team responsibly disclosed several vulnerabilities in Tutor LMS, a WordPress plugin installed on over 20,000 sites.
The first five flaws made it possible for authenticated attackers to inject and execute arbitrary SQL statements on WordPress sites. This made it possible for attackers to obtain information stored in a site’s database, including user credentials, site options, and other sensitive information.
The remaining flaws made it possible for authenticated attackers to perform several unauthorized actions like escalate user privileges and modify course settings through the use of various AJAX actions.
Team initially reached out to Tutor LMS on December 15, 2020. They received a response confirming the appropriate inbox for handling the discussion on December 21, 2020 and supplied the full disclosure details that same day.
Tutor LMS acknowledged their report just a day later and released the first set of patches on December 30, 2020. After a few follow-ups and a few revised versions, a sufficiently patched version of the plugin was released on February 16, 2021.
Several of the patched vulnerabilities are very severe. Therefore, we highly recommend updating to the patched version, 1.8.3, immediately.
