Learning Management System
by WordPress
Source repositories
CVEs (39)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-49111 | Hig | 0.57 | 8.8 | 0.00 | Jun 15, 2026 | Incorrect Privilege Assignment vulnerability in ThemeGrill Masteriyo - LMS allows Privilege Escalation. This issue affects Masteriyo - LMS: from n/a through 2.2.0. | ||
| CVE-2026-39405 | Cri | 0.54 | — | 0.00 | May 20, 2026 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.50.0 and below, a user with course editing role could upload a SCORM ZIP package to write files outside the intended directory. This issue has been resolved in… | ||
| CVE-2025-64270 | Med | 0.42 | 6.5 | 0.00 | Dec 18, 2025 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in masteriyo Masteriyo - LMS learning-management-system allows Retrieve Embedded Sensitive Data.This issue affects Masteriyo - LMS: from n/a through <= 2.0.3. | ||
| CVE-2024-33939 | Med | 0.35 | 5.3 | 0.01 | May 19, 2025 | Authentication Bypass Using an Alternate Path or Channel vulnerability in masteriyo Masteriyo - LMS learning-management-system.This issue affects Masteriyo - LMS: from n/a through <= 1.7.3. | ||
| CVE-2026-5167 | Med | 0.27 | 5.3 | 0.00 | Apr 8, 2026 | The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the… | ||
| CVE-2022-38553 | 0.02 | — | 0.02 | Sep 26, 2022 | Academy Learning Management System before v5.9.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Search parameter. | |||
| CVE-2026-26977 | 0.00 | — | 0.00 | Feb 20, 2026 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.44.0 and below, unauthorized users are able to access the details of unpublished courses via API endpoints. A fix for this issue is planned for the 2.45.0 release. | |||
| CVE-2020-36944 | 0.00 | — | 0.00 | Jan 28, 2026 | ILIAS Learning Management System 4.3 contains a server-side request forgery vulnerability that allows attackers to read local files through portfolio PDF export functionality. Attackers can inject a script that uses XMLHttpRequest to retrieve local file contents when the… | |||
| CVE-2026-23497 | 0.00 | — | 0.00 | Jan 14, 2026 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In 2.44.0 and earlier, there is a stored XSS vulnerability where a specially crafted image filename could execute malicious JavaScript when rendered on course or jobs pages. | |||
| CVE-2025-67734 | 0.00 | — | 0.00 | Dec 12, 2025 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript through the Company Website field of the Job Form, exposing users to an XSS attack. The script… | |||
| CVE-2025-67730 | 0.00 | — | 0.00 | Dec 12, 2025 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in… | |||
| CVE-2025-66581 | 0.00 | — | 0.00 | Dec 5, 2025 | Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the… | |||
| CVE-2025-46102 | 0.00 | — | 0.00 | Jul 17, 2025 | Cross Site Scripting vulnerability in Beakon Software Beakon Learning Management System Sharable Content Object Reference Model (SCORM) version V.5.4.3 allows a remote attacker to obtain sensitive information via the URL parameter | |||
| CVE-2025-46101 | 0.00 | — | 0.01 | Jun 23, 2025 | SQL Injection vulnerability in Beakon Software Beakon Learning Management System Sharable Content Object Reference Model (SCORM) version before 5.4.3 allows a remote attacker to obtain sensitive information via the ks parameter in json_scorm.php file | |||
| CVE-2024-54933 | 0.00 | — | 0.00 | Dec 9, 2024 | Kashipara E-learning Management System v1.0 is vulnerable to SQL Injection in /admin/delete_content.php. | |||
| CVE-2024-54931 | 0.00 | — | 0.01 | Dec 9, 2024 | A SQL Injection was found in /admin/delete_event.php in kashipara E-learning Management System v1.0, which allows remote attackers to execute arbitrary SQL commands to get unauthorized database access via the id parameter. | |||
| CVE-2024-54926 | 0.00 | — | 0.01 | Dec 9, 2024 | A SQL Injection vulnerability was found in /search_class.php of kashipara E-learning Management System v1.0, which allows remote attackers to execute arbitrary SQL commands to get unauthorized database access via the school_year parameter. | |||
| CVE-2024-54921 | 0.00 | — | 0.01 | Dec 9, 2024 | A SQL Injection was found in /student_signup.php in kashipara E-learning Management System v1.0, which allows remote attackers to execute arbitrary SQL commands to get unauthorized database access via the username, firstname, lastname, and class_id parameters. | |||
| CVE-2024-54934 | 0.00 | — | 0.00 | Dec 9, 2024 | Kashipara E-learning Management System v1.0 is vulnerable to SQL Injection in /admin/delete_class.php. | |||
| CVE-2024-54935 | 0.00 | — | 0.00 | Dec 9, 2024 | A Stored Cross-Site Scripting (XSS) vulnerability was found in /send_message_teacher_to_student.php of kashipara E-learning Management System v1.0. This vulnerability allows remote attackers to execute arbitrary scripts via the my_message parameter. |
- risk 0.57cvss 8.8epss 0.00
Incorrect Privilege Assignment vulnerability in ThemeGrill Masteriyo - LMS allows Privilege Escalation. This issue affects Masteriyo - LMS: from n/a through 2.2.0.
- risk 0.54cvss —epss 0.00
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.50.0 and below, a user with course editing role could upload a SCORM ZIP package to write files outside the intended directory. This issue has been resolved in…
- risk 0.42cvss 6.5epss 0.00
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in masteriyo Masteriyo - LMS learning-management-system allows Retrieve Embedded Sensitive Data.This issue affects Masteriyo - LMS: from n/a through <= 2.0.3.
- risk 0.35cvss 5.3epss 0.01
Authentication Bypass Using an Alternate Path or Channel vulnerability in masteriyo Masteriyo - LMS learning-management-system.This issue affects Masteriyo - LMS: from n/a through <= 1.7.3.
- risk 0.27cvss 5.3epss 0.00
The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the…
- CVE-2022-38553Sep 26, 2022risk 0.02cvss —epss 0.02
Academy Learning Management System before v5.9.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Search parameter.
- CVE-2026-26977Feb 20, 2026risk 0.00cvss —epss 0.00
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In versions 2.44.0 and below, unauthorized users are able to access the details of unpublished courses via API endpoints. A fix for this issue is planned for the 2.45.0 release.
- CVE-2020-36944Jan 28, 2026risk 0.00cvss —epss 0.00
ILIAS Learning Management System 4.3 contains a server-side request forgery vulnerability that allows attackers to read local files through portfolio PDF export functionality. Attackers can inject a script that uses XMLHttpRequest to retrieve local file contents when the…
- CVE-2026-23497Jan 14, 2026risk 0.00cvss —epss 0.00
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. In 2.44.0 and earlier, there is a stored XSS vulnerability where a specially crafted image filename could execute malicious JavaScript when rendered on course or jobs pages.
- CVE-2025-67734Dec 12, 2025risk 0.00cvss —epss 0.00
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allowed authenticated attackers to enter JavaScript through the Company Website field of the Job Form, exposing users to an XSS attack. The script…
- CVE-2025-67730Dec 12, 2025risk 0.00cvss —epss 0.00
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Versions prior to 2.42.0 allow authenticated users to add malicious HTML and JavaScript through description fields in the Job, Course and Batch forms. This issue is fixed in…
- CVE-2025-66581Dec 5, 2025risk 0.00cvss —epss 0.00
Frappe Learning Management System (LMS) is a learning system that helps users structure their content. Prior to 2.41.0, a flaw in the server-side authorization logic allowed authenticated users to perform actions beyond their assigned roles across multiple features. Because the…
- CVE-2025-46102Jul 17, 2025risk 0.00cvss —epss 0.00
Cross Site Scripting vulnerability in Beakon Software Beakon Learning Management System Sharable Content Object Reference Model (SCORM) version V.5.4.3 allows a remote attacker to obtain sensitive information via the URL parameter
- CVE-2025-46101Jun 23, 2025risk 0.00cvss —epss 0.01
SQL Injection vulnerability in Beakon Software Beakon Learning Management System Sharable Content Object Reference Model (SCORM) version before 5.4.3 allows a remote attacker to obtain sensitive information via the ks parameter in json_scorm.php file
- CVE-2024-54933Dec 9, 2024risk 0.00cvss —epss 0.00
Kashipara E-learning Management System v1.0 is vulnerable to SQL Injection in /admin/delete_content.php.
- CVE-2024-54931Dec 9, 2024risk 0.00cvss —epss 0.01
A SQL Injection was found in /admin/delete_event.php in kashipara E-learning Management System v1.0, which allows remote attackers to execute arbitrary SQL commands to get unauthorized database access via the id parameter.
- CVE-2024-54926Dec 9, 2024risk 0.00cvss —epss 0.01
A SQL Injection vulnerability was found in /search_class.php of kashipara E-learning Management System v1.0, which allows remote attackers to execute arbitrary SQL commands to get unauthorized database access via the school_year parameter.
- CVE-2024-54921Dec 9, 2024risk 0.00cvss —epss 0.01
A SQL Injection was found in /student_signup.php in kashipara E-learning Management System v1.0, which allows remote attackers to execute arbitrary SQL commands to get unauthorized database access via the username, firstname, lastname, and class_id parameters.
- CVE-2024-54934Dec 9, 2024risk 0.00cvss —epss 0.00
Kashipara E-learning Management System v1.0 is vulnerable to SQL Injection in /admin/delete_class.php.
- CVE-2024-54935Dec 9, 2024risk 0.00cvss —epss 0.00
A Stored Cross-Site Scripting (XSS) vulnerability was found in /send_message_teacher_to_student.php of kashipara E-learning Management System v1.0. This vulnerability allows remote attackers to execute arbitrary scripts via the my_message parameter.
Page 1 of 2