Source: Wordfence
Wordfence, a well-known WordPress security research company, has published a blog post about an authentication bypass vulnerability in the Tutor LMS Pro WordPress plugin. According to Wordfence, the issue affects WordPress sites running this plugin.
The number of affected sites cited in some reports is around 30,000, though this figure comes from the URL of the Wordfence post rather than confirmed body text, so it should be treated with caution. The full details of the vulnerability, including what versions are affected, whether a fix is available and how serious the flaw is, were not accessible at the time of writing.
An authentication bypass is a type of security flaw that can allow someone to access parts of a website or its data without needing to log in properly. For a site running an online course platform like Tutor LMS Pro, this could potentially mean unauthorised access to student accounts, course content or payment information. That said, the specific nature of this particular flaw has not been confirmed in the available source material.
If your website uses the Tutor LMS Pro plugin, there are a few sensible steps to take right away:
Because the full Wordfence article was not accessible at the time of writing, this article will be updated once more details are confirmed.
If you use Tutor LMS Pro on your WordPress site, it is worth checking for plugin updates as a precaution, even before full details of this vulnerability are confirmed. As a business owner, keeping your site software current is one of the simplest ways to reduce your exposure to security risks. Check back on the Wordfence blog for confirmed guidance on affected versions and any available patches.
Free website scan covering GDPR, copyright, accessibility, security, and more.
Scan your site freeA Wordfence blog post about a vulnerability in the MW WP Form WordPress plugin affecting 200,000 sites could not be loaded due to JavaScript being disabled.
A Wordfence blog post reports an arbitrary file deletion vulnerability affecting approximately 200,000 WordPress sites in the Perfmatters WordPress plugin, but the full article content could not be retrieved.
A Wordfence blog post references an arbitrary file read vulnerability in the Smart Slider 3 WordPress plugin affecting 800,000 sites, but the full article text is not accessible due to JavaScript being disabled.