Report
The Tutor LMS plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 2.7.6. This is due to a missing check for the 'users_can_register' option in the 'register_instructor' function. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled.
Score:5.3
Severity:Medium
Version: 2.7.6
There is a patch available in v2.7.7 and we strongly recommend you update to this version as soon as possible.
