To the point:
- According to researchers, security flaws in Tutor LMS, a WP plugin used on over 20,000 sites, allow for information theft and privilege escalation.
- The plugin has five critical SQL-injection flaws, according to Wordfence.
- Site administrators should update to Tutor LMS v.1.8.3, which has been patched.
Tutor LMS is a learning-management system for educators and teachers that helps them to reach out to their students digitally. It facilitates the creation of courses, student forums, online classes, and other features. According to Wordfence, the plugin contains five critical SQL-injection flaws and at least one high-severity bug caused by unprotected AJAX endpoints.
The five SQL-injection vulnerabilities all have a CVSS severity rating of 6.5 out of 10, indicating that they are of medium severity. The most serious of these is the previously mentioned high-severity privilege-escalation bug with a CVSS score of 8.1.
ALL the website owners should update to the patched version of Tutor LMS v1.8.3