CVE-2020-8615: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in the Tutor LMS WordPress plugin versions before 1.5.3, identified as CVE-2020-8615. The vulnerability was discovered on February 4, 2020, and could allow attackers to approve themselves as instructors or perform other malicious actions such as blocking legitimate instructors (NVD, MITRE).

The vulnerability existed because the requests for instructor approval and blocking were sent using the GET method without proper CSRF protection. An attacker could exploit this by crafting malicious URLs and tricking an authenticated admin into visiting them. The attack could be executed through URLs like 'wp-admin/admin.php?page=tutor-instructors&action=approve&instructor=8' for self-approval or 'wp-admin/admin.php?page=tutor-instructors&action=blocked&instructor=7' for blocking other instructors. Additionally, CSRF attacks could be performed on the instructor addition form (WPScan, Researcher Blog).

The vulnerability could allow attackers to gain unauthorized instructor privileges on affected WordPress sites running Tutor LMS. If the option to create courses without admin approval was enabled, attackers could potentially create courses directly. This could lead to unauthorized access to the learning management system and potential disruption of legitimate instructor activities (Themeum Blog).

The vulnerability was patched in Tutor LMS version 1.5.3. The fix included adding nonce fields in the Add Instructor form and implementing proper CSRF protection for instructor approval/blocking through Ajax requests using the POST method. Users were strongly recommended to update to version 1.5.3 or later to protect against this vulnerability (Themeum Blog).