CVE-2020-8615
published 2020-02-04CVE-2020-8615: A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other…
PriorityP347medium6.5CVSS 3.1
AVNACLPRNUIRSUCNIHAN
EXPLOIT
EPSS
8.83%
94.5th percentile
A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| themeum | tutor_lms | < 1.5.3 | 1.5.3 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WordPress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User)
exploitdb·2020-03-02·CVSS 6.5
CVE-2020-8615 [MEDIUM] WordPress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User)
WordPress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User)
---
# Exploit Title: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery (Add User)
# Date: 2020-01-30
# Vendor Homepage: https://www.themeum.com/product/tutor-lms/
# Vendor Changelog: https://wordpress.org/plugins/tutor/#developers
# Exploit Author: Jinson Varghese Behanan
# Author Advisory: https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/
# Author Homepage: https://www.jinsonvarghese.com
# Version: 1.5.2 and below
# CVE : CVE-2020-8615
# 1. Description
# The Tutor LMS WordPress plugin is a feature-packed plugin that enables users to create and sell courses.
# An attacker can use CSRF to register themselves as an instructor or block other legit instructors
Nuclei
Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery
nuclei·CVSS 6.5
CVE-2020-8615 [MEDIUM] Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery
Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery
A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors).
Template:
id: CVE-2020-8615
info:
name: Wordpress Plugin Tutor LMS 1.5.3 - Cross-Site Request Forgery
author: r3Y3r53
severity: medium
description: |
A CSRF vulnerability in the Tutor LMS plugin before 1.5.3 for WordPress can result in an attacker approving themselves as an instructor and performing other malicious actions (such as blocking legitimate instructors).
impact: |
Attackers can exploit CSRF to approve themselves as instructors or block legitimate instructors, potentially disrupting the learning manag
http://packetstormsecurity.com/files/156585/WordPress-Tutor-LMS-1.5.3-Cross-Site-Request-Forgery.htmlhttps://wpvulndb.com/vulnerabilities/10058https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/https://www.jinsonvarghese.com/cross-site-request-forgery-in-tutor-lms/https://www.themeum.com/tutor-lms-updated-v1-5-3/http://packetstormsecurity.com/files/156585/WordPress-Tutor-LMS-1.5.3-Cross-Site-Request-Forgery.htmlhttps://wpvulndb.com/vulnerabilities/10058https://www.getastra.com/blog/911/plugin-exploit/cross-site-request-forgery-in-tutor-lms-plugin/https://www.jinsonvarghese.com/cross-site-request-forgery-in-tutor-lms/https://www.themeum.com/tutor-lms-updated-v1-5-3/
2020-02-04
Published