VYPR

Tutor

by WordPress

Source repositories

CVEs (21)

  • CVE-2025-6184HigAug 13, 2025
    risk 0.57cvss 8.8epss 0.00

    The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter used in the get_submitted_assignments() function in all versions up to, and including, 3.7.0 due to insufficient escaping on…

  • CVE-2025-58993HigSep 9, 2025
    risk 0.49cvss 7.6epss 0.00

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS tutor allows SQL Injection.This issue affects Tutor LMS: from n/a through <= 3.7.4.

  • CVE-2026-1375HigFeb 3, 2026
    risk 0.46cvss 8.1epss 0.00

    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`,…

  • CVE-2026-3360HigApr 10, 2026
    risk 0.42cvss 7.5epss 0.01

    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()` function.…

  • CVE-2026-6080MedApr 17, 2026
    risk 0.35cvss 6.5epss 0.01

    The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb->prepare(). This makes it…

  • CVE-2026-40740MedApr 15, 2026
    risk 0.35cvss 5.4epss 0.00

    Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.7.

  • CVE-2025-13679MedJan 8, 2026
    risk 0.35cvss 6.5epss 0.00

    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated…

  • CVE-2025-6639MedOct 25, 2025
    risk 0.35cvss 5.4epss 0.00

    The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.3 due to missing validation on a user controlled key when viewing and editing assignments through the…

  • CVE-2026-3371MedApr 11, 2026
    risk 0.28cvss 4.3epss 0.00

    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is…

  • CVE-2026-3358MedApr 11, 2026
    risk 0.28cvss 5.4epss 0.00

    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()`…

  • CVE-2025-32230MedApr 10, 2025
    risk 0.28cvss 4.3epss 0.00

    Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Themeum Tutor LMS tutor.This issue affects Tutor LMS: from n/a through <= 3.4.0.

  • CVE-2026-5502MedApr 17, 2026
    risk 0.27cvss 5.3epss 0.00

    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutor_update_course_content_order() function. The…

  • CVE-2026-1371MedFeb 3, 2026
    risk 0.27cvss 5.3epss 0.00

    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates…

  • CVE-2025-47555LowJan 22, 2026
    risk 0.25cvss 3.8epss 0.00

    Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.4.

  • CVE-2025-13935MedJan 9, 2026
    risk 0.21cvss 4.3epss 0.00

    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. This makes it possible…

  • CVE-2025-13934MedJan 9, 2026
    risk 0.21cvss 4.3epss 0.00

    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX…

  • CVE-2025-13628MedJan 9, 2026
    risk 0.21cvss 4.3epss 0.00

    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and…

  • CVE-2023-0236Feb 6, 2023
    risk 0.02cvss epss 0.01

    The Tutor LMS WordPress plugin before 2.0.10 does not sanitise and escape the reset_key and user_id parameters before outputting then back in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin

  • CVE-2023-4805Oct 16, 2023
    risk 0.00cvss epss 0.00

    The Tutor LMS WordPress plugin before 2.3.0 does not sanitise and escape some of its settings, which could allow users such as subscriber to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

  • CVE-2023-3133Jul 4, 2023
    risk 0.00cvss epss 0.01

    The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowing unauthenticated attackers to access information from Lessons that should not be publicly available.

Page 1 of 2