Tutor LMS < 1.5.3 - Cross-Site Request Forgery (CSRF)

Tutor LMS WordPress plugin is vulnerable to Cross-Site Request Forgery (CSRF) attacks.

PoC

As the requests for the approval and blocking of instructors are sent using the GET method, the CSRF attack to approve an attacker-controlled instructor account can be performed by having the admin visit https://example.com/wp-admin/admin.php?page=tutor-instructors&amp;action;=approve&amp;instructor;=8 directly, after retrieving the instructor ID during the registration process. An approved instructor can also be blocked by directing the admin to visit https://example/wp-admin/admin.php?page=tutor-instructors&amp;action;=blocked&amp;instructor;=7. CSRF attack can also be performed on the form present at https://example/wp-admin/admin.php?page=tutor-instructors⊂_page=add_new_instructor in order to have the admin add an instructor account for the attacker, thus bypassing the requirement for approval. This can be done by tricking the admin to submit the below-given web form as a POST request. For example, if the web form is hosted on an attacker-controlled domain https://attacker.com/csrf.html, an admin who is logged in at https://example can be tricked into visiting the link and triggering the request to add an instructor.