Security vulnerabilities in Tutor LMS, a WordPress plugin, open the door to information theft and privilege escalation. Five critical flaws in the plugin, including one high-severity bug stemming from unprotected AJAX endpoints. The five vulnerabilities all rate 6.5 out of 10 on the CVSS vulnerability-rating scale, making them medium in severity. The remaining flaws allow authenticated attackers to elevate user privileges and alter course content and settings, through the use of various AJAX actions. Site administrators should update to the patched version of the plugin.
Source: https://threatpost.com/tutor-lms-wordpress-security-holes/164868/