49 matches found
CVE-2020-8615
CVE-2020-8615 is a CSRF vulnerability in the WordPress Tutor LMS plugin up to version 1.5.3 (fixed in 1.5.3). The issue allows an attacker to approve themselves as an instructor and perform other actions (e.g., blocking legitimate instructors). The root cause is CSRF in Tutor LMS’s instructor-man...
CVE-2024-10400
The Tutor LMS plugin for WordPress is vulnerable to unauthenticated SQL Injection via the rating_filter parameter in versions up to 2.7.6 due to insufficient escaping and missing preparation of the SQL query. Impact: potential exposure of sensitive database data. Affected: all versions ≤ 2.7.6. R...
CVE-2023-0236
CVE-2023-0236 corresponds to a reflected XSS in the WordPress Tutor LMS plugin prior to 2.0.10. The vulnerability stems from failure to sanitize and escape reset_key and user_id when echoing them back in attributes, enabling an attacker to inject scripts into the browser of an authenticated user ...
CVE-2024-4222
CVE-2024-4222 affects the Tutor LMS Pro WordPress plugin. A missing capability check in multiple functions allows unauthenticated attackers to add, modify or delete user meta and plugin options across versions up to 2.7.0. The issue enables unauthorized data access/modification and data loss. Rem...
CVE-2024-1133
The Tutor LMS WordPress plugin (versions up to and including 2.6.0) is vulnerable to unauthorized access of restricted Q&A content due to a missing capability check when interacting with questions.Authenticated users with subscriber access or higher can interact with questions in courses they are...
CVE-2024-4352
CVE-2024-4352 affects Tutor LMS Pro for WordPress. The Red Hat and NVD entries confirm a missing capability check in the function get_calendar_materials, enabling unauthorized access and data modification/loss. It also permits SQL Injection via the year parameter due to insufficient escaping and ...
CVE-2024-4351
CVE-2024-4351 affects Tutor LMS Pro (WordPress) where a missing capability check in the authenticate function across versions up to and including 2.7.0 allows authenticated users with subscriber-level permissions or higher to gain control of an existing administrator account. Public details confi...
CVE-2024-10393
CVE-2024-10393 affects the WordPress Tutor LMS plugin, vulnerable in versions
CVE-2024-1128
CVE-2024-1128 affects the WordPress Tutor LMS plugin (versions up to and including 2.6.0). The vulnerability is HTML Injection in the Q&A functionality caused by insufficient sanitization of HTML input, allowing authenticated users with Student-level access and above to inject arbitrary HTML onto...
CVE-2023-25799
CVE-2023-25799 describes a Missing/Broken Authorization vulnerability in the WordPress plugin Tutor LMS . Affected versions are Tutor LMS: from n/a through 2.1.8. The issue is caused by insufficient authorization checks, enabling access control bypass for certain actions. Public references from P...
CVE-2022-2563
CVE-2022-2563 affects the Tutor LMS WordPress plugin
CVE-2021-24184
CVE-2021-24184 affects Tutor LMS (WordPress plugin) versions before 1.7.7. The vulnerability is due to unprotected AJAX endpoints that allow students to modify course information and elevate privileges, among other actions. Impact includes privilege escalation and alteration of course data. The i...
CVE-2024-3994
CVE-2024-3994 affects Tutor LMS – eLearning and online course solution for WordPress. It is a Stored XSS in the tutor_instructor_list shortcode caused by insufficient input sanitization and output escaping on user-supplied attributes in versions up to and including 2.6.2. Exploitation requires au...
CVE-2024-4223
CVE-2024-4223 affects Tutor LMS – eLearning and online course solution (WordPress plugin) up to version 2.7.0. A missing capability check enables unauthenticated attackers to add, modify, or delete data via HTTP requests (network vector). Wordfence lists a patched status for this CVE, indicating ...
CVE-2021-24455
CVE-2021-24455 affects the WordPress plugin Tutor LMS – eLearning and online course solution. The vulnerability lies in the Summary field of Announcements, which is not escaped when output inside an attribute, allowing a Stored Cross-Site Scripting (XSS) vulnerability. The issue can be triggered ...
CVE-2023-25800
CVE-2023-25800 affects the WordPress Tutor LMS Plugin, vulnerable in versions n/a through 2.2.0 due to improper neutralization of user input in SQL commands (SQL injection). Impact is high (C, I, A) per CVSS; exploitation status not detailed in the provided docs. Remediation: update to version 2....
CVE-2024-3553
CVE-2024-3553 affects Tutor LMS for WordPress up to version 2.6.2. Root cause: hide_notices() lacked a proper capability check, enabling any authenticated user to modify users_can_register and enable registration via the admin page. Patch v2.7.0 adds current_user_can('manage_options') in addition...
CVE-2024-4318
CVE-2024-4318 (Tutor LMS – WordPress) is a time-based SQL Injection in Tutor LMS up to and including version 2.7.0 via the question_id parameter, caused by insufficient escaping and improper query preparation. Exploitation is possible by authenticated users with Instructor-level permissions and h...
CVE-2021-25017
The CVE-2021-25017 entry concerns the Tutor LMS WordPress plugin, specifically versions before 1.9.12, where the search parameter is not escaped before being echoed back into an admin-page attribute, causing a Reflected Cross-Site Scripting (XSS) vulnerability. The affected component is the admin...
CVE-2023-25700
The CVE-2023-25700 entry concerns the WordPress Tutor LMS plugin. A SQL Injection vulnerability arises from improper neutralization of special elements in SQL commands within Tutor LMS, affecting versions up to and including 2.1.10. The issue permits unauthenticated attackers to inject SQL throug...
CVE-2024-37266
CVE-2024-37266: WordPress Tutor LMS plugin suffers from an improper limitation of a pathname (path traversal) in Tutor LMS, affecting versions n/a through 2.7.1. Root cause is pathname restriction, enabling traversal to restricted directories. Publicly documented remediation from connected source...
CVE-2024-4279
Summary: CVE-2024-4279 affects Tutor LMS – eLearning and online course solution for WordPress. An insecure direct object reference vulnerability exists in the tutor_course_delete function caused by missing validation on a user-controlled key, enabling an authenticated attacker with Instructor-lev...
CVE-2024-43282
CVE-2024-43282 is an SQL injection vulnerability in Tutor LMS (authenticated, Administrator+ access) that affects Tutor LMS versions up to and including 2.7.2. Root cause is improper neutralization of input elements in an SQL command. The vulnerability is actively tracked with a patched status, a...
CVE-2021-24242
Affected software: Tutor LMS WordPress plugin (pre-1.8.8). Vulnerability: Local File Inclusion via a maliciously crafted sub_page parameter in the Tools page. Impact: High-privilege users can include arbitrary local PHP files (confidentiality/integrity concerns for the site). Root cause: Improper...
CVE-2024-1503
CVE-2024-1503 affects Tutor LMS – eLearning and online course solution (WordPress) up to version 2.6.1. Root cause: missing/incorrect nonce validation in erase_tutor_data(), enabling CSRF. Impact: unauthenticated attackers can deactivate the plugin and erase data via forged requests if the "Erase...
CVE-2024-1751
Tutor LMS for WordPress is affected by a time-based SQL Injection in the question_id parameter in all versions up to 2.6.1, exploitable by authenticated users with subscriber or higher privileges to extract data. The root cause is insufficient escaping/protection in the SQL query. A fix is availa...
CVE-2024-4902
CVE-2024-4902 : The Tutor LMS – eLearning and online course solution for WordPress contains a time-based SQL Injection in the course_id parameter, affecting all versions up to 2.7.1. The vulnerability stems from insufficient escaping and improper preparation of the SQL query, enabling an authenti...
CVE-2024-5784
CVE-2024-5784 (Tutor LMS Pro, WordPress) shows a vulnerability where missing capability checks in multiple functions (treport_quiz_atttempt_delete, tutor_gc_class_action) allow an authenticated user with subscriber-level access or higher to perform unauthorized administrative actions (e.g., delet...
CVE-2021-24181
The CVE covers Tutor LMS (WordPress plugin) prior to version 1.7.7, where the tutor_mark_answer_as_correct AJAX action is vulnerable to blind and time-based SQL injections. This could enable an attacker (e.g., students) to manipulate queries via that action. Affected component: Tutor LMS WordPres...
CVE-2021-24186
The CVE-2021-24186 vulnerability affects the Tutor LMS WordPress plugin (pre-1.8.3), where the tutor_answering_quiz_question/get_answer_by_id function pair is susceptible to UNION-based SQL injection. The flaw could allow an attacker (e.g., students) to inject SQL via the affected endpoint, enabl...
CVE-2021-24740
The CVE-2021-24740 entry concerns the Tutor LMS WordPress plugin, affected versions prior to 1.9.9. The vulnerability is a stored Cross-Site Scripting (XSS) flaw where certain settings are output in HTML attributes without proper escaping, enabling high-privilege users to trigger XSS potentially ...
CVE-2023-3133
The CVE-2023-3133 entry concerns the Tutor LMS WordPress plugin (pre-2.2.1) where REST API endpoints do not perform adequate permission checks, allowing unauthenticated access to information from Lessons that should not be publicly available. Affected product: Tutor LMS WordPress plugin; vulnerab...
CVE-2023-4805
Tutor LMS WordPress plugin prior to version 2.3.0 is susceptible to Stored Cross-Site Scripting due to insufficient sanitization/escaping of certain settings. The vulnerability allows a user with Subscriber privileges (e.g., in multisite) to inject scripts even when unfiltered_html is disallowed....
CVE-2021-24873
The CVE-2021-24873 entry relates to the Tutor LMS WordPress plugin (before 1.9.11) and a Reflected Cross-Site Scripting issue on the Student Registration page caused by insufficient sanitisation/escaping of user input in output attributes. Affected component: Tutor LMS plugin for WordPress; root ...
CVE-2023-2919
CVE-2023-2919 affects Tutor LMS for WordPress (≤ 2.7.4). The root cause is missing/incorrect nonce validation in the addon_enable_disable path, enabling unauthenticated attackers to forge requests to enable/disable addons if a site admin is tricked. Public details confirm the vulnerability and pa...
CVE-2024-1502
CVE-2024-1502 affects Tutor LMS – eLearning and online course solution for WordPress. The vulnerability is caused by a missing capability check in the function tutor_delete_announcement(), impacting all versions up to and including 2.6.1. This allows authenticated attackers with subscriber-level ...
CVE-2024-37256
The CVE-2024-37256 entry concerns a SQL Injection in the WordPress Tutor LMS plugin (versions
CVE-2021-24182
CVE-2021-24182 affects the Tutor LMS WordPress plugin prior to 1.8.3. The flaw is a UNION-based SQL injection in the AJAX action tutor_quiz_builder_get_answers_by_question, exploitable by students. The vulnerability stems from unsafely constructed SQL in the affected function, enabling unauthoriz...
CVE-2024-37947
Technical details about CVE-2024-37947 are not publicly provided in the connected documents. Monitor official advisories for affected versions, impact, and remediation.
CVE-2024-43231
CVE-2024-43231 is a stored XSS in Tutor LMS (WordPress plugin) via improper neutralization of input during web page generation. Affected: Tutor LMS versions up to 2.7.3. The issue arises from inadequate sanitization of user-supplied content that is later embedded in web pages, enabling stored Cro...
CVE-2024-5438
CVE-2024-5438: Tutor LMS – eLearning and online course solution for WordPress affects all versions up to 2.7.1. The issue is an Insecure Direct Object Reference in the quiz attempts deletion path via the attempt_delete function, due to missing validation on a user-controlled key. This allows auth...
CVE-2023-49829
CVE-2023-49829 pertains to the Tutor LMS WordPress plugin (Tutor LMS – eLearning and online course solution) and describes an issue where input is not properly sanitized during web page generation, allowing stored XSS. Affected versions are Tutor LMS
CVE-2024-39645
CVE-2024-39645 is a CSRF vulnerability in WordPress Tutor LMS
CVE-2023-25990
The CVE-2023-25990 entry covers a SQL Injection in the WordPress Tutor LMS Plugin. Affected: Tutor LMS WordPress plugin version up to 2.1.10. Root cause: improper neutralization of special elements in SQL commands. Impact: high impact to confidentiality, integrity, and availability (per CVSS metr...
CVE-2024-43142
CVE-2024-43142 is a Missing Authorization vulnerability affecting Tutor LMS versions up to 2.7.3. Public sources (NVD, RH) confirm a Missing Authorization/Access Control issue with Themeum Tutor LMS and list Tutor LMS (n/a through 2.7.3) as affected. NVD CVSS v3.1 base score is 8.8 ( HIGH ) with ...
CVE-2021-24183
The CVE concerns the Tutor LMS WordPress plugin (before 1.8.3). The vulnerability is in the tutor_quiz_builder_get_question_form AJAX action, where input handling permits UNION-based SQL injection. This could allow an attacker (e.g., a student) to manipulate queries via the affected endpoint and ...
CVE-2021-24185
The CVE-2021-24185 affects the Tutor LMS WordPress plugin prior to version 1.7.7. The vulnerability lies in the tutor_place_rating AJAX action, where blind and time-based SQL injections allow exploitation by a student attacker. Impact, as stated, is exposure of data through SQL injection; exploit...
CVE-2025-11564
CVE-2025-11564 affects Tutor LMS – eLearning and online course solution for WordPress (versions up to and including 3.8.3). The root cause is a missing capability check when verifying webhook signatures in the verifyAndCreateOrderData function, enabling unauthenticated attackers to bypass payment...
CVE-2025-6680
CVE-2025-6680 Tutor LMS (WordPress): Authenticated users with tutor-level+ access can view sensitive information by exposing assignments from courses they don’t teach. Affects Tutor LMS versions up to 3.8.3. Public advisories indicate remediation by upgrading to 3.8.4 or later; some sources also ...