24 matches found
CVE-2026-9438
A vulnerability was found in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This impacts an unknown function of the file courseDel.php. The manipulation of the argument ID results in improper control of resource identifiers. The attack may be performed from...
EUVD-2026-31647
A vulnerability was found in yashpokharna2555 StudentManagementSystem cb2f558ddf8d19396de0f92abf2d224d46a0a203. This impacts an unknown function of the file courseDel.php. The manipulation of the argument ID results in improper control of resource identifiers. The attack may be performed from...
CVE-2026-9438
The CVE-2026-9438 entry concerns yashpokharna2555 StudentManagementSystem, specifically the courseDel.php component. The issue arises from manipulation of the ID argument, leading to improper control of resource identifiers. This is exploitable remotely and is demonstrated as a public PoC. Accord...
CVE-2026-32894 Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Deletion of Any Student's Grade Result
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference IDOR vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the deletemark or...
CVE-2026-32894 Chamilo LMS has an IDOR in Gradebook Allows Cross-Course Deletion of Any Student's Grade Result
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, an Insecure Direct Object Reference IDOR vulnerability in the gradebook result view page allows any authenticated teacher to delete any student's grade result across the entire platform by manipulating the deletemark or...
CVE-2026-32894
CVE-2026-32894 affects Chamilo LMS. Affected: gradebook result view in Chamilo before 1.11.38 and 2.0.0-RC.3. Issue: Insecure Direct Object Reference (IDOR) allows any authenticated teacher to delete any studentβs grade result across the platform by manipulating delete_mark or resultdelete GET pa...
π WordPress Tutor LMS 3.9.5 Insecure Direct Object Reference
WordPress Tutor LMS plugin versions 3.9.5 and below suffer from broken access control and insecure direct object reference vulnerabilities. CVE-2026-1375: Authenticated IDOR / Broken Access Control in Tutor LMS Plugin Disclaimer: This repository is created for educational purposes and ethical...
CVE-2026-1787
CVE-2026-1787 affects LearnPress Export Import (WordPress) up to version 4.1.0, due to a missing capability check in delete_migrated_data that allows unauthenticated attackers to delete courses migrated from Tutor LMS (Tutor LMS must be installed/activated). Connected sources indicate remediation...
WordPress Tutor LMS plugin <= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion vulnerability
Insecure Direct Object Reference to Authenticated Instructor+ Arbitrary Course Modification and Deletion vulnerability discovered by WordFence in WordPress Plugin Tutor LMS versions = 3.9.5...
CVE-2026-1375 Tutor LMS <= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion
The Tutor LMS β eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References IDOR in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the courselistbulkaction, bulkdeletecourse, and...
CVE-2026-1375
The Tutor LMS β eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References IDOR in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the courselistbulkaction, bulkdeletecourse, and...
CVE-2026-1375
CVE-2026-1375 affects the Tutor LMS WordPress plugin (versions up to and including 3.9.5). The root cause is missing object-level authorization checks in three bulk-action functions: course_list_bulk_action(), bulk_delete_course(), and update_course_status(). This IDOR flaw allows authenticated u...
PT-2026-6043
Name of the Vulnerable Software and Affected Versions Tutor LMS versions prior to 3.9.5 Description The Tutor LMS plugin for WordPress is susceptible to Insecure Direct Object References IDOR due to insufficient object-level authorization checks. Specifically, the course list bulk action, bulk...
EUVD-2024-32829
Malicious code in bioql PyPI...
EUVD-2022-3244
Malicious code in bioql PyPI...
CVE-2024-4279
The Tutor LMS β eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutorcoursedelete' function due to missing validation on a user controlled key. This can allow...
CVE-2024-4279
The Tutor LMS β eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutorcoursedelete' function due to missing validation on a user controlled key. This can allow...
CVE-2024-4279
The Tutor LMS β eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutorcoursedelete' function due to missing validation on a user controlled key. This can allow...
CVE-2024-4279 Tutor LMS β eLearning and online course solution <= 2.7.0 - Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Course Deletion
The Tutor LMS β eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutorcoursedelete' function due to missing validation on a user controlled key. This can allow...
CVE-2024-4279
Summary: CVE-2024-4279 affects Tutor LMS β eLearning and online course solution for WordPress. An insecure direct object reference vulnerability exists in the tutor_course_delete function caused by missing validation on a user-controlled key, enabling an authenticated attacker with Instructor-lev...