CVE-2026-1375 Tutor LMS <= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References IDOR in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the courselistbulkaction, bulkdeletecourse, and...

CVE-2026-1371

The CVE-2026-1371 entry concerns Tutor LMS for WordPress. Affected: Tutor LMS plugin versions up to and including 3.9.5. Root cause: missing authorization checks in ajax_coupon_details(), which only validates nonces and does not verify user capabilities. Impact: authenticated users with Subscribe...

WordPress plugin Tutor LMS 信息泄露漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

WordPress plugin Tutor LMS 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

PT-2026-6043

Name of the Vulnerable Software and Affected Versions Tutor LMS versions prior to 3.9.5 Description The Tutor LMS plugin for WordPress is susceptible to Insecure Direct Object References IDOR due to insufficient object-level authorization checks. Specifically, the course list bulk action, bulk...

PT-2026-6042

Name of the Vulnerable Software and Affected Versions Tutor LMS versions prior to 3.9.6 Description The Tutor LMS plugin for WordPress has a flaw where sensitive coupon details can be accessed without proper authorization. The issue stems from insufficient validation within the ajax coupon detail...

WordPress Tutor LMS plugin <= 3.9.5 - Authenticated (Subscriber+) Information Disclosure in Coupon Details via 'tutor_coupon_details' AJAX Action vulnerability

Authenticated Subscriber+ Information Disclosure in Coupon Details via 'tutorcoupondetails' AJAX Action vulnerability discovered by Supakiad S. m3ez - E-CQURITY Thailand in WordPress Plugin Tutor LMS versions = 3.9.5...

WordPress Tutor LMS - Migration Tool plugin <= 2.2.0 - Missing Authorization in tutor_import_from_xml vulnerability

WordPress Tutor LMS - Migration Tool plugin = 2.2.0 - Missing Authorization in tutorimportfromxml vulnerability discovered by Francesco Carlucci in WordPress Plugin Tutor LMS – Migration Tool versions = 2.2.0...

WordPress Tutor LMS Elementor Addons plugin <= 2.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Course Carousel Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Course Carousel Widget vulnerability discovered by wesley wcraft in WordPress Plugin Tutor LMS Elementor Addons versions = 2.1.4...

WordPress Tutor LMS plugin <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Course Completion vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Course Completion vulnerability discovered by Supakiad S. m3ez - E-CQURITY Thailand in WordPress Plugin Tutor LMS versions = 3.9.2...

CVE-2026-24584

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Themeum Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration allows DOM-Based XSS.This issue affects Tutor LMS BunnyNet Integration: from n/a through = 1.0.0...

CVE-2025-47555

Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through = 3.9.4...

CVE-2026-24584

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Themeum Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration allows DOM-Based XSS.This issue affects Tutor LMS BunnyNet Integration: from n/a through = 1.0.0...

CVE-2026-24584

CVE-2026-24584 affects the WordPress plugin “Tutor LMS BunnyNet Integration” (Themeum) up to version 1.0.0. The issue is a DOM-based XSS caused by improper input neutralization during web page generation. Public sources in the Connected Documents (Wordfence, CVE listings) confirm the vulnerabilit...

CVE-2026-24584 WordPress Tutor LMS BunnyNet Integration plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Themeum Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration allows DOM-Based XSS.This issue affects Tutor LMS BunnyNet Integration: from n/a through = 1.0.0...

CVE-2026-24584

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Themeum Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration allows DOM-Based XSS.This issue affects Tutor LMS BunnyNet Integration: from n/a through = 1.0.0...

CVE-2026-24584 WordPress Tutor LMS BunnyNet Integration plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Themeum Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration allows DOM-Based XSS.This issue affects Tutor LMS BunnyNet Integration: from n/a through = 1.0.0...

WordPress plugin Tutor LMS BunnyNet Integration: Cross-site scripting vulnerabilities

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2025-47555

Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through = 3.9.4...

CVE-2025-47555

CVE-2025-47555 is an Authorization Bypass in Themeum Tutor LMS (Tutor) caused by incorrect access control, allowing a user-controlled key to bypass restrictions. Affected: Tutor LMS versions up to 3.9.4 (n/a through