Several vulnerabilities have been found and patched in the Tutor LMS plugin. The first flaw made it possible for authenticated attackers to inject and execute arbitrary SQL statements on WordPress websites. This vulnerability makes it, possible for attackers, to obtain information it is stored in the database, including credentials, site information and other sensitive information.
There were also 5 other flaws allowing authenticated users to perform several unauthorised actions including, Escalation of user permissions and modifying course settings.
The Vulnerabilities were discovered by the WordFence team on the 15th December 2020 and fully Patched on the 16th Febuary 2021.
The Fully Patched version is 1.7.7
For full details please visit the Wordfence Blog.
If you would like assistance or would like to find out more please contact us
More technical information can be found at wpscan