The article discusses a recent discovery of an authenticated SQL Injection vulnerability in the Tutor LMS WordPress plugin. The vulnerability, found during the Bug Bounty Extravaganza, can allow attackers to extract sensitive data from the database. The researcher, Muhammad Hassham Nagori, responsibly reported the vulnerability through the Wordfence Bug Bounty Program and earned a bounty of $625.00.
Wordfence contacted Themeum, the developer of Tutor LMS, who promptly released a patch on March 11, 2024. Users are advised to update their sites to the latest patched version, 2.6.2, to protect against exploits targeting this vulnerability.
The vulnerability summary from Wordfence Intelligence explains the technical details of the SQL Injection vulnerability in Tutor LMS. The plugin’s insecure implementation of the Q&A questions query functionality allows for SQL injection, potentially compromising sensitive information. Wordfence firewall provides protection against exploits targeting this vulnerability.
The disclosure timeline shows the steps taken from receiving the submission to the release of the patched version. The article concludes by emphasizing the importance of updating to the latest version of Tutor LMS and ensuring site security. All Wordfence users are protected against this vulnerability.
The article serves as a warning to WordPress users and encourages them to stay vigilant about updating their plugins to prevent potential security risks. The collaboration between researchers, security firms like Wordfence, and developers is crucial in maintaining a secure online environment. It highlights the importance of responsible disclosure and prompt action by developers to patch vulnerabilities.
Read Full Article