Description
The Sertifier Certificate & Badge Maker for WordPress – Tutor LMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19. This is due to missing or incorrect nonce validation on the 'sertifier_settings' page. This makes it possible for unauthenticated attackers to update the plugin's api key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2025-08-23
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration change via CSRF
Action: Apply Update
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery on the "sertifier_settings" page caused by missing or incorrect nonce validation. An attacker can trick a logged‑in site administrator into clicking a crafted link or submitting a forged form, which then updates the plugin’s API key without the administrator’s consent. This change can be used to manipulate the plugin’s external communications or compromise data handled by the API.

Affected Systems

The flaw affects the Sertifier Certificate & Badge Maker for WordPress – Tutor LMS plugin distributed by Sertifier for any WordPress site that has a version of the plugin equal to or older than 1.19. The issue is limited to the settings page handling API key updates.

Risk and Exploitability

According to the CVSS score of 4.3 the vulnerability confers moderate severity. The EPSS score of less than 1% indicates a low probability of exploitation at this time, and it is not listed in the CISA KEV catalog. Attackers need to target an authenticated administrator and rely on user interaction (for example, clicking a malicious link or loading a strategically placed iframe). Because the exploitation requires the admin’s browser session, it is considered a low‑to‑moderate threat for sites that do not employ additional CSRF defenses.

Generated by OpenCVE AI on April 20, 2026 at 19:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Sertifier plugin to the latest version (greater than 1.19) which removes the missing nonce check.
  • If an update is not immediately possible, deactivate and delete the plugin to eliminate the risk of unauthorized API key changes.
  • Apply an additional CSRF protection mechanism such as a reputable security plugin or enforce stricter nonce validation on custom forms where feasible.

Generated by OpenCVE AI on April 20, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28786 The Sertifier Certificate & Badge Maker for WordPress – Tutor LMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19. This is due to missing or incorrect nonce validation on the 'sertifier_settings' page. This makes it possible for unauthenticated attackers to update the plugin's api key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
References

Mon, 25 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 23 Aug 2025 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Sertifier
Sertifier certificates-open-badges Plugin
Wordpress
Wordpress wordpress
Vendors & Products Sertifier
Sertifier certificates-open-badges Plugin
Wordpress
Wordpress wordpress

Sat, 23 Aug 2025 04:30:00 +0000

Type Values Removed Values Added
Description The Sertifier Certificate & Badge Maker for WordPress – Tutor LMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19. This is due to missing or incorrect nonce validation on the 'sertifier_settings' page. This makes it possible for unauthenticated attackers to update the plugin's api key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Sertifier Certificate & Badge Maker for WordPress – Tutor LMS <= 1.19 - Cross-Site Request Forgery to Settings Update
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Sertifier Certificates-open-badges Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:36.945Z

Reserved: 2025-07-18T19:39:17.462Z

Link: CVE-2025-7841

cve-icon Vulnrichment

Updated: 2025-08-25T16:11:33.157Z

cve-icon NVD

Status : Deferred

Published: 2025-08-23T05:15:33.097

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7841

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:00:10Z

Weaknesses