CVE-2026-3360

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the payincompleteorder function. The function accepts an...

WordPress Tutor LMS plugin <= 3.9.4 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by daroo in WordPress Plugin Tutor LMS versions = 3.9.4...

CVE-2026-23799

CVE-2026-23799 is a Missing Authorization / Broken Access Control flaw in Themeum Tutor LMS (Tutor LMS) up to version 3.9.5. CVSSv3.1 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N with base score 6.5 (Medium). Public sources (NVD, Red Hat, CVE List, Patchstack, AttackKB, VulnEnrichment) id...

CVE-2025-13673

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'couponcode' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

PT-2026-22465

Name of the Vulnerable Software and Affected Versions Tutor LMS versions prior to 3.9.7 Description The Tutor LMS plugin for WordPress is susceptible to SQL Injection due to inadequate input validation and query preparation. Specifically, the coupon code parameter is not properly sanitized,...

CVE-2026-1371

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the ajaxcoupondetails function, which only validates nonces but does not verify use...

EUVD-2026-5275

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the ajaxcoupondetails function, which only validates nonces but does not verify use...

CVE-2025-47555 WordPress Tutor LMS plugin <= 3.9.4 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through = 3.9.4...

WordPress plugin Tutor LMS – eLearning and online course solution has security vulnerabilities.

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2025-13935

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'markcoursecomplete' function. This makes it possible for authenticated...

EUVD-2021-11156

Malware in sbrugna...

EUVD-2024-33417

Malicious code in bioql PyPI...

EUVD-2024-43961

Malicious code in bioql PyPI...

EUVD-2024-32774

Malicious code in bioql PyPI...

EUVD-2024-32775

Malicious code in bioql PyPI...

WordPress Tutor LMS Plugin <= 3.7.4 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by YCInfosec in WordPress Plugin Tutor LMS versions = 3.7.4...

CVE-2025-58993 WordPress Tutor LMS Plugin <= 3.7.4 - SQL Injection Vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Themeum Tutor LMS allows SQL Injection. This issue affects Tutor LMS: from n/a through 3.7.4...

CVE-2024-3994

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tutorinstructorlist' shortcode in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping on user supplied attribute...

CVE-2024-3553

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the hidenotices function in all versions up to, and including, 2.6.2. This makes it possible for unauthenticated attackers to enable us...

CVE-2023-0236

The Tutor LMS WordPress plugin before 2.0.10 does not sanitise and escape the resetkey and userid parameters before outputting then back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...