Tutor LMS Pro Auth Bypass Vulnerability: 30k Sites Affected

What happened

Wordfence, a well-known WordPress security research company, has published a blog post about an authentication bypass vulnerability in the Tutor LMS Pro WordPress plugin. According to Wordfence, the issue affects WordPress sites running this plugin.

The number of affected sites cited in some reports is around 30,000, though this figure comes from the URL of the Wordfence post rather than confirmed body text, so it should be treated with caution. The full details of the vulnerability, including what versions are affected, whether a fix is available and how serious the flaw is, were not accessible at the time of writing.

What is an authentication bypass?

An authentication bypass is a type of security flaw that can allow someone to access parts of a website or its data without needing to log in properly. For a site running an online course platform like Tutor LMS Pro, this could potentially mean unauthorised access to student accounts, course content or payment information. That said, the specific nature of this particular flaw has not been confirmed in the available source material.

What should you do now

If your website uses the Tutor LMS Pro plugin, there are a few sensible steps to take right away:

• Check your plugins. Log in to your WordPress dashboard and look at your installed plugins. If Tutor LMS Pro is listed, note the version you are running.
• Look for updates. Go to Dashboard > Updates and apply any available plugin updates. Keeping plugins up to date is one of the most effective ways to protect your site.
• Visit the Wordfence blog directly. Once the full article is accessible, it will likely include the affected versions and any recommended actions. You can find the post at wordfence.com.
• Review your security setup. Our security checklist for small businesses and guide on vulnerable WordPress plugins walk you through the basics in plain language.

Because the full Wordfence article was not accessible at the time of writing, this article will be updated once more details are confirmed.

What does this mean for your website?

If you use Tutor LMS Pro on your WordPress site, it is worth checking for plugin updates as a precaution, even before full details of this vulnerability are confirmed. As a business owner, keeping your site software current is one of the simplest ways to reduce your exposure to security risks. Check back on the Wordfence blog for confirmed guidance on affected versions and any available patches.