CVE-2023-2919: 
WordPress vulnerability analysis and mitigation

The Tutor LMS plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in versions up to and including 2.7.4. The vulnerability exists due to missing or incorrect nonce validation in the 'addonenabledisable' function. This security flaw allows unauthenticated attackers to enable or disable plugin addons by tricking site administrators into performing specific actions, such as clicking on malicious links (CVE Mitre).

The vulnerability stems from inadequate security controls in the addonenabledisable function within the Ajax.php file. The function, which handles the enabling and disabling of plugin addons, lacks proper CSRF protection through nonce validation. While the function does check for administrative privileges using currentusercan('manage_options'), it fails to implement proper request verification mechanisms (WordPress Plugin).

If successfully exploited, this vulnerability could allow attackers to manipulate the plugin's addon settings without proper authorization. An attacker could potentially enable or disable critical functionality of the Tutor LMS plugin by crafting malicious requests that are executed when an administrator clicks on a specially crafted link (CVE Mitre).

The vulnerability has been patched in version 2.7.5 of the Tutor LMS plugin. Site administrators are strongly advised to update to this version or later to protect against potential CSRF attacks. Until the update can be applied, administrators should be cautious when clicking links while logged into the WordPress dashboard (CVE Mitre).