CVE-2023-0236

Name of the Vulnerable Software and Affected Versions Tutor LMS WordPress plugin versions prior to 2.0.10

Description The issue is related to the lack of protection of the SQL query structure in the Tutor LMS plugin for WordPress, potentially allowing a remote attacker to execute arbitrary code. Additionally, the plugin does not properly sanitise and escape certain parameters, such as reset key and user id, before outputting them, leading to Reflected Cross-Site Scripting. This could be exploited against high-privilege users, including administrators.

Recommendations For versions prior to 2.0.10, update to version 2.0.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the reset key and user id parameters to minimize the risk of exploitation. Avoid using these parameters in sensitive operations until the issue is resolved.