CVE-2026-3358 Tutor LMS <= 3.9.7 - Missing Authorization to Authenticated (Subscriber+) Unauthorized Private Course Enrollment

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing poststatus validation in the enrollnow and courseenrollment functions. Both enrollment endpoints...

Shortlinks by Pretty Links < 3.6.3 - Reflected Cross-Site Scripting via post_status

Description The plugin does not sanitise and escape the poststatus parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2021-24845

The CVE refers to the WordPress plugin Improved Include Page, version

WordPress <= 4.3.0 权限提升漏洞

越权操作位于 XMLRPC 文章编辑操作中，涉及文件 /wp-includes/class-wp-xmlrpc-server.php 5042-5327 其中关键代码分析： public function mweditPost $args $this-escape $args ; $postID = int $args0; // 获取需要编辑的文章ID 用户所属 $username = $args1; // 从请求的xml中获取用户名 $password = $args2; // 从请求的xml中获取用户密码 $contentstruct = $args3; // 从请求的xml中获取结...