CVE-2024-1503

Name of the Vulnerable Software and Affected Versions The Tutor LMS – eLearning and online course solution plugin for WordPress versions up to, and including, 2.6.1

Description The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the erase tutor data() function. This allows unauthenticated attackers to deactivate the plugin and erase all data via a forged request if they can trick a site administrator into performing an action, such as clicking on a link, and the "Erase upon uninstallation" option is enabled. The vulnerability can be exploited by a remote attacker to perform a CSRF attack.

Recommendations For versions up to, and including, 2.6.1, consider disabling the erase tutor data() function until a patch is available to prevent exploitation. Additionally, restrict access to the plugin's uninstallation feature and ensure the "Erase upon uninstallation" option is disabled to minimize the risk of data loss.