Lucene search
+L
ThemeumTutor Lms

49 matches found

CVE
CVE
added 2020/02/04 7:1 p.m.150 views

CVE-2020-8615

CVE-2020-8615 is a CSRF vulnerability in the WordPress Tutor LMS plugin up to version 1.5.3 (fixed in 1.5.3). The issue allows an attacker to approve themselves as an instructor and perform other actions (e.g., blocking legitimate instructors). The root cause is CSRF in Tutor LMS’s instructor-man...

6.5CVSS6.4AI score0.0883EPSS
Web
CVE
CVE
added 2024/11/21 7:35 a.m.135 views

CVE-2024-10400

The Tutor LMS plugin for WordPress is vulnerable to unauthenticated SQL Injection via the rating_filter parameter in versions up to 2.7.6 due to insufficient escaping and missing preparation of the SQL query. Impact: potential exposure of sensitive database data. Affected: all versions ≤ 2.7.6. R...

7.5CVSS7.6AI score0.82464EPSS
CVE
CVE
added 2023/02/06 7:59 p.m.108 views

CVE-2023-0236

CVE-2023-0236 corresponds to a reflected XSS in the WordPress Tutor LMS plugin prior to 2.0.10. The vulnerability stems from failure to sanitize and escape reset_key and user_id when echoing them back in attributes, enabling an attacker to inject scripts into the browser of an authenticated user ...

6.1CVSS6AI score0.01347EPSS
Web
CVE
CVE
added 2024/05/16 9:32 a.m.81 views

CVE-2024-4222

CVE-2024-4222 affects the Tutor LMS Pro WordPress plugin. A missing capability check in multiple functions allows unauthenticated attackers to add, modify or delete user meta and plugin options across versions up to 2.7.0. The issue enables unauthorized data access/modification and data loss. Rem...

8.2CVSS6.6AI score0.00329EPSS
CVE
CVE
added 2024/05/16 9:32 a.m.80 views

CVE-2024-4352

CVE-2024-4352 affects Tutor LMS Pro for WordPress. The Red Hat and NVD entries confirm a missing capability check in the function get_calendar_materials, enabling unauthorized access and data modification/loss. It also permits SQL Injection via the year parameter due to insufficient escaping and ...

8.8CVSS7AI score0.01183EPSS
CVE
CVE
added 2024/02/20 6:56 p.m.79 views

CVE-2024-1133

The Tutor LMS WordPress plugin (versions up to and including 2.6.0) is vulnerable to unauthorized access of restricted Q&A content due to a missing capability check when interacting with questions.Authenticated users with subscriber access or higher can interact with questions in courses they are...

4.3CVSS5.2AI score0.00375EPSS
CVE
CVE
added 2024/05/16 9:32 a.m.78 views

CVE-2024-4351

CVE-2024-4351 affects Tutor LMS Pro (WordPress) where a missing capability check in the authenticate function across versions up to and including 2.7.0 allows authenticated users with subscriber-level permissions or higher to gain control of an existing administrator account. Public details confi...

8.8CVSS6.6AI score0.01023EPSS
CVE
CVE
added 2024/11/21 6:49 a.m.71 views

CVE-2024-10393

CVE-2024-10393 affects the WordPress Tutor LMS plugin, vulnerable in versions

5.3CVSS5.2AI score0.00563EPSS
CVE
CVE
added 2024/02/20 6:56 p.m.70 views

CVE-2024-1128

CVE-2024-1128 affects the WordPress Tutor LMS plugin (versions up to and including 2.6.0). The vulnerability is HTML Injection in the Q&A functionality caused by insufficient sanitization of HTML input, allowing authenticated users with Student-level access and above to inject arbitrary HTML onto...

5.4CVSS6AI score0.00506EPSS
CVE
CVE
added 2024/06/11 9:15 a.m.69 views

CVE-2023-25799

CVE-2023-25799 describes a Missing/Broken Authorization vulnerability in the WordPress plugin Tutor LMS . Affected versions are Tutor LMS: from n/a through 2.1.8. The issue is caused by insufficient authorization checks, enabling access control bypass for certain actions. Public references from P...

8.8CVSS8.7AI score0.00458EPSS
CVE
CVE
added 2022/10/17 12:0 a.m.68 views

CVE-2022-2563

CVE-2022-2563 affects the Tutor LMS WordPress plugin

4.8CVSS4.7AI score0.00573EPSS
CVE
CVE
added 2021/04/05 6:27 p.m.67 views

CVE-2021-24184

CVE-2021-24184 affects Tutor LMS (WordPress plugin) versions before 1.7.7. The vulnerability is due to unprotected AJAX endpoints that allow students to modify course information and elevate privileges, among other actions. Impact includes privilege escalation and alteration of course data. The i...

8.8CVSS8.6AI score0.01439EPSS
Web
CVE
CVE
added 2024/05/16 8:32 a.m.67 views

CVE-2024-4223

CVE-2024-4223 affects Tutor LMS – eLearning and online course solution (WordPress plugin) up to version 2.7.0. A missing capability check enables unauthenticated attackers to add, modify, or delete data via HTTP requests (network vector). Wordfence lists a patched status for this CVE, indicating ...

9.8CVSS6.6AI score0.00517EPSS
CVE
CVE
added 2021/08/02 10:32 a.m.66 views

CVE-2021-24455

CVE-2021-24455 affects the WordPress plugin Tutor LMS – eLearning and online course solution. The vulnerability lies in the Summary field of Announcements, which is not escaped when output inside an attribute, allowing a Stored Cross-Site Scripting (XSS) vulnerability. The issue can be triggered ...

5.4CVSS5.5AI score0.00747EPSS
Web
CVE
CVE
added 2024/04/25 9:29 a.m.66 views

CVE-2024-3994

CVE-2024-3994 affects Tutor LMS – eLearning and online course solution for WordPress. It is a Stored XSS in the tutor_instructor_list shortcode caused by insufficient input sanitization and output escaping on user-supplied attributes in versions up to and including 2.6.2. Exploitation requires au...

5.4CVSS5.7AI score0.00385EPSS
CVE
CVE
added 2023/11/03 4:26 p.m.65 views

CVE-2023-25800

CVE-2023-25800 affects the WordPress Tutor LMS Plugin, vulnerable in versions n/a through 2.2.0 due to improper neutralization of user input in SQL commands (SQL injection). Impact is high (C, I, A) per CVSS; exploitation status not detailed in the provided docs. Remediation: update to version 2....

8.8CVSS8.8AI score0.0069EPSS
CVE
CVE
added 2024/05/16 5:33 a.m.64 views

CVE-2024-4318

CVE-2024-4318 (Tutor LMS – WordPress) is a time-based SQL Injection in Tutor LMS up to and including version 2.7.0 via the question_id parameter, caused by insufficient escaping and improper query preparation. Exploitation is possible by authenticated users with Instructor-level permissions and h...

8.8CVSS7.1AI score0.00511EPSS
CVE
CVE
added 2024/05/02 4:52 p.m.63 views

CVE-2024-3553

CVE-2024-3553 affects Tutor LMS for WordPress up to version 2.6.2. Root cause: hide_notices() lacked a proper capability check, enabling any authenticated user to modify users_can_register and enable registration via the admin page. Patch v2.7.0 adds current_user_can('manage_options') in addition...

6.5CVSS6.6AI score0.00466EPSS
Web
CVE
CVE
added 2022/01/24 8:1 a.m.61 views

CVE-2021-25017

The CVE-2021-25017 entry concerns the Tutor LMS WordPress plugin, specifically versions before 1.9.12, where the search parameter is not escaped before being echoed back into an admin-page attribute, causing a Reflected Cross-Site Scripting (XSS) vulnerability. The affected component is the admin...

6.1CVSS6AI score0.01005EPSS
Web
CVE
CVE
added 2023/11/03 4:44 p.m.61 views

CVE-2023-25700

The CVE-2023-25700 entry concerns the WordPress Tutor LMS plugin. A SQL Injection vulnerability arises from improper neutralization of special elements in SQL commands within Tutor LMS, affecting versions up to and including 2.1.10. The issue permits unauthenticated attackers to inject SQL throug...

9.8CVSS8.9AI score0.00756EPSS
CVE
CVE
added 2024/08/18 9:39 p.m.61 views

CVE-2024-43282

CVE-2024-43282 is an SQL injection vulnerability in Tutor LMS (authenticated, Administrator+ access) that affects Tutor LMS versions up to and including 2.7.2. Root cause is improper neutralization of input elements in an SQL command. The vulnerability is actively tracked with a patched status, a...

7.6CVSS7.9AI score0.00439EPSS
CVE
CVE
added 2024/07/09 10:8 a.m.60 views

CVE-2024-37266

CVE-2024-37266: WordPress Tutor LMS plugin suffers from an improper limitation of a pathname (path traversal) in Tutor LMS, affecting versions n/a through 2.7.1. Root cause is pathname restriction, enabling traversal to restricted directories. Publicly documented remediation from connected source...

7.2CVSS6AI score0.00618EPSS
CVE
CVE
added 2024/05/16 5:33 a.m.60 views

CVE-2024-4279

Summary: CVE-2024-4279 affects Tutor LMS – eLearning and online course solution for WordPress. An insecure direct object reference vulnerability exists in the tutor_course_delete function caused by missing validation on a user-controlled key, enabling an authenticated attacker with Instructor-lev...

6.5CVSS6.5AI score0.00418EPSS
CVE
CVE
added 2021/04/22 9:0 p.m.59 views

CVE-2021-24242

Affected software: Tutor LMS WordPress plugin (pre-1.8.8). Vulnerability: Local File Inclusion via a maliciously crafted sub_page parameter in the Tools page. Impact: High-privilege users can include arbitrary local PHP files (confidentiality/integrity concerns for the site). Root cause: Improper...

5.5CVSS3.9AI score0.00778EPSS
Web
CVE
CVE
added 2024/03/12 11:33 p.m.58 views

CVE-2024-1503

CVE-2024-1503 affects Tutor LMS – eLearning and online course solution (WordPress) up to version 2.6.1. Root cause: missing/incorrect nonce validation in erase_tutor_data(), enabling CSRF. Impact: unauthenticated attackers can deactivate the plugin and erase data via forged requests if the "Erase...

4.3CVSS8.9AI score0.0022EPSS
CVE
CVE
added 2024/03/13 3:27 p.m.58 views

CVE-2024-1751

Tutor LMS for WordPress is affected by a time-based SQL Injection in the question_id parameter in all versions up to 2.6.1, exploitable by authenticated users with subscriber or higher privileges to extract data. The root cause is insufficient escaping/protection in the SQL query. A fix is availa...

8.8CVSS9AI score0.03135EPSS
CVE
CVE
added 2024/06/07 4:33 a.m.58 views

CVE-2024-4902

CVE-2024-4902 : The Tutor LMS – eLearning and online course solution for WordPress contains a time-based SQL Injection in the course_id parameter, affecting all versions up to 2.7.1. The vulnerability stems from insufficient escaping and improper preparation of the SQL query, enabling an authenti...

7.2CVSS5.9AI score0.00495EPSS
CVE
CVE
added 2024/08/30 3:24 a.m.58 views

CVE-2024-5784

CVE-2024-5784 (Tutor LMS Pro, WordPress) shows a vulnerability where missing capability checks in multiple functions (treport_quiz_atttempt_delete, tutor_gc_class_action) allow an authenticated user with subscriber-level access or higher to perform unauthorized administrative actions (e.g., delet...

7.1CVSS6.4AI score0.00355EPSS
CVE
CVE
added 2021/04/05 6:27 p.m.55 views

CVE-2021-24186

The CVE-2021-24186 vulnerability affects the Tutor LMS WordPress plugin (pre-1.8.3), where the tutor_answering_quiz_question/get_answer_by_id function pair is susceptible to UNION-based SQL injection. The flaw could allow an attacker (e.g., students) to inject SQL via the affected endpoint, enabl...

6.5CVSS6.8AI score0.01253EPSS
Web
CVE
CVE
added 2021/04/05 6:27 p.m.53 views

CVE-2021-24181

The CVE covers Tutor LMS (WordPress plugin) prior to version 1.7.7, where the tutor_mark_answer_as_correct AJAX action is vulnerable to blind and time-based SQL injections. This could enable an attacker (e.g., students) to manipulate queries via that action. Affected component: Tutor LMS WordPres...

6.5CVSS6.6AI score0.01253EPSS
Web
CVE
CVE
added 2021/10/18 1:46 p.m.53 views

CVE-2021-24740

The CVE-2021-24740 entry concerns the Tutor LMS WordPress plugin, affected versions prior to 1.9.9. The vulnerability is a stored Cross-Site Scripting (XSS) flaw where certain settings are output in HTML attributes without proper escaping, enabling high-privilege users to trigger XSS potentially ...

4.8CVSS4.7AI score0.00622EPSS
CVE
CVE
added 2024/09/10 9:30 a.m.52 views

CVE-2023-2919

CVE-2023-2919 affects Tutor LMS for WordPress (≤ 2.7.4). The root cause is missing/incorrect nonce validation in the addon_enable_disable path, enabling unauthenticated attackers to forge requests to enable/disable addons if a site admin is tricked. Public details confirm the vulnerability and pa...

4.3CVSS4.6AI score0.00207EPSS
CVE
CVE
added 2023/07/04 7:23 a.m.52 views

CVE-2023-3133

The CVE-2023-3133 entry concerns the Tutor LMS WordPress plugin (pre-2.2.1) where REST API endpoints do not perform adequate permission checks, allowing unauthenticated access to information from Lessons that should not be publicly available. Affected product: Tutor LMS WordPress plugin; vulnerab...

7.5CVSS7.5AI score0.00984EPSS
Web
CVE
CVE
added 2021/11/23 7:16 p.m.51 views

CVE-2021-24873

The CVE-2021-24873 entry relates to the Tutor LMS WordPress plugin (before 1.9.11) and a Reflected Cross-Site Scripting issue on the Student Registration page caused by insufficient sanitisation/escaping of user input in output attributes. Affected component: Tutor LMS plugin for WordPress; root ...

6.1CVSS6AI score0.00757EPSS
Web
CVE
CVE
added 2024/03/12 11:33 p.m.51 views

CVE-2024-1502

CVE-2024-1502 affects Tutor LMS – eLearning and online course solution for WordPress. The vulnerability is caused by a missing capability check in the function tutor_delete_announcement(), impacting all versions up to and including 2.6.1. This allows authenticated attackers with subscriber-level ...

5.4CVSS8.9AI score0.00428EPSS
CVE
CVE
added 2024/07/09 9:2 a.m.51 views

CVE-2024-37256

The CVE-2024-37256 entry concerns a SQL Injection in the WordPress Tutor LMS plugin (versions

7.6CVSS7.5AI score0.00577EPSS
CVE
CVE
added 2021/04/05 6:27 p.m.50 views

CVE-2021-24182

CVE-2021-24182 affects the Tutor LMS WordPress plugin prior to 1.8.3. The flaw is a UNION-based SQL injection in the AJAX action tutor_quiz_builder_get_answers_by_question, exploitable by students. The vulnerability stems from unsafely constructed SQL in the affected function, enabling unauthoriz...

6.5CVSS6.8AI score0.01742EPSS
Web
CVE
CVE
added 2023/10/16 7:39 p.m.50 views

CVE-2023-4805

Tutor LMS WordPress plugin prior to version 2.3.0 is susceptible to Stored Cross-Site Scripting due to insufficient sanitization/escaping of certain settings. The vulnerability allows a user with Subscriber privileges (e.g., in multisite) to inject scripts even when unfiltered_html is disallowed....

5.4CVSS5.1AI score0.00403EPSS
Web
CVE
CVE
added 2024/07/20 8:31 a.m.50 views

CVE-2024-37947

Technical details about CVE-2024-37947 are not publicly provided in the connected documents. Monitor official advisories for affected versions, impact, and remediation.

5.9CVSS5.8AI score0.00354EPSS
CVE
CVE
added 2024/08/12 9:4 p.m.50 views

CVE-2024-43231

CVE-2024-43231 is a stored XSS in Tutor LMS (WordPress plugin) via improper neutralization of input during web page generation. Affected: Tutor LMS versions up to 2.7.3. The issue arises from inadequate sanitization of user-supplied content that is later embedded in web pages, enabling stored Cro...

6.5CVSS6.4AI score0.00279EPSS
CVE
CVE
added 2024/06/07 12:33 p.m.50 views

CVE-2024-5438

CVE-2024-5438: Tutor LMS – eLearning and online course solution for WordPress affects all versions up to 2.7.1. The issue is an Insecure Direct Object Reference in the quiz attempts deletion path via the attempt_delete function, due to missing validation on a user-controlled key. This allows auth...

4.3CVSS4.8AI score0.00343EPSS
CVE
CVE
added 2023/12/15 3:30 p.m.48 views

CVE-2023-49829

CVE-2023-49829 pertains to the Tutor LMS WordPress plugin (Tutor LMS – eLearning and online course solution) and describes an issue where input is not properly sanitized during web page generation, allowing stored XSS. Affected versions are Tutor LMS

5.9CVSS6.6AI score0.00394EPSS
CVE
CVE
added 2023/11/03 4:22 p.m.46 views

CVE-2023-25990

The CVE-2023-25990 entry covers a SQL Injection in the WordPress Tutor LMS Plugin. Affected: Tutor LMS WordPress plugin version up to 2.1.10. Root cause: improper neutralization of special elements in SQL commands. Impact: high impact to confidentiality, integrity, and availability (per CVSS metr...

8.8CVSS8.8AI score0.00679EPSS
CVE
CVE
added 2024/08/26 8:55 p.m.46 views

CVE-2024-39645

CVE-2024-39645 is a CSRF vulnerability in WordPress Tutor LMS

8.8CVSS7AI score0.0018EPSS
CVE
CVE
added 2024/11/01 2:17 p.m.46 views

CVE-2024-43142

CVE-2024-43142 is a Missing Authorization vulnerability affecting Tutor LMS versions up to 2.7.3. Public sources (NVD, RH) confirm a Missing Authorization/Access Control issue with Themeum Tutor LMS and list Tutor LMS (n/a through 2.7.3) as affected. NVD CVSS v3.1 base score is 8.8 ( HIGH ) with ...

8.8CVSS4.6AI score0.00397EPSS
CVE
CVE
added 2021/04/05 6:27 p.m.45 views

CVE-2021-24183

The CVE concerns the Tutor LMS WordPress plugin (before 1.8.3). The vulnerability is in the tutor_quiz_builder_get_question_form AJAX action, where input handling permits UNION-based SQL injection. This could allow an attacker (e.g., a student) to manipulate queries via the affected endpoint and ...

6.5CVSS6.8AI score0.01742EPSS
Web
CVE
CVE
added 2021/04/05 6:27 p.m.42 views

CVE-2021-24185

The CVE-2021-24185 affects the Tutor LMS WordPress plugin prior to version 1.7.7. The vulnerability lies in the tutor_place_rating AJAX action, where blind and time-based SQL injections allow exploitation by a student attacker. Impact, as stated, is exposure of data through SQL injection; exploit...

6.5CVSS6.6AI score0.01253EPSS
Web
CVE
CVE
added 2025/10/25 5:31 a.m.25 views

CVE-2025-11564

CVE-2025-11564 affects Tutor LMS – eLearning and online course solution for WordPress (versions up to and including 3.8.3). The root cause is a missing capability check when verifying webhook signatures in the verifyAndCreateOrderData function, enabling unauthenticated attackers to bypass payment...

5.3CVSS5AI score0.00266EPSS
CVE
CVE
added 2025/10/25 5:31 a.m.21 views

CVE-2025-6680

CVE-2025-6680 Tutor LMS (WordPress): Authenticated users with tutor-level+ access can view sensitive information by exposing assignments from courses they don’t teach. Affects Tutor LMS versions up to 3.8.3. Public advisories indicate remediation by upgrading to 3.8.4 or later; some sources also ...

4.3CVSS5.3AI score0.00195EPSS