Themeum Tutor Lms vulnerabilities
56 known vulnerabilities affecting themeum/tutor_lms.
Total CVEs
56
CISA KEV
0
Public exploits
4
Exploited in wild
6
Severity breakdown
CRITICAL2HIGH18MEDIUM33LOW3
Vulnerabilities
Page 3 of 3
CVE-2024-5438P4MEDIUMCVSS 4.3fixed in 2.7.22024-06-07
CVE-2024-5438 [MEDIUM] CWE-639 CVE-2024-5438: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.7.1 via the 'attempt_delete' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Instructor-level access and above, to delet
nvd
CVE-2021-25017P4MEDIUMCVSS 6.1fixed in 1.9.122022-01-24
CVE-2021-25017 [MEDIUM] CWE-79 CVE-2021-25017: The Tutor LMS WordPress plugin before 1.9.12 does not escape the search parameter before outputting
The Tutor LMS WordPress plugin before 1.9.12 does not escape the search parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
nvd
CVE-2023-4805P4MEDIUMCVSS 5.4fixed in 2.3.02023-10-16
CVE-2023-4805 [MEDIUM] CWE-79 CVE-2023-4805: The Tutor LMS WordPress plugin before 2.3.0 does not sanitise and escape some of its settings, which
The Tutor LMS WordPress plugin before 2.3.0 does not sanitise and escape some of its settings, which could allow users such as subscriber to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
nvd
CVE-2024-3994P4MEDIUMCVSS 5.4fixed in 2.7.02024-04-25
CVE-2024-3994 [MEDIUM] CWE-79 CVE-2024-3994: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cr
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tutor_instructor_list' shortcode in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,
nvd
CVE-2024-1133P4MEDIUMCVSS 4.3fixed in 2.6.12024-02-29
CVE-2024-1133 [MEDIUM] CWE-862 CVE-2024-1133: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthori
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of restricted Q&A content due to a missing capability check when interacting with questions in all versions up to, and including, 2.6.0. This makes it possible for authenticated attackers, with subscriber access or higher, to interact with qu
nvd
CVE-2025-6680P4MEDIUMCVSS 4.3fixed in 3.9.02025-10-25
CVE-2025-6680 [MEDIUM] CWE-284 CVE-2025-6680: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.8.3. This makes it possible for authenticated attackers, with tutor-level access and above, to view assignments for courses they don't teach which may contain sensitive information.
nvd
CVE-2024-37947P4MEDIUMCVSS 4.8fixed in 2.7.3≥ n/a, ≤ 2.7.22024-07-20
CVE-2024-37947 [MEDIUM] CWE-79 CVE-2024-37947: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerab
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themeum Tutor LMS allows Stored XSS.This issue affects Tutor LMS: from n/a through 2.7.2.
nvd
CVE-2025-32230P4MEDIUMCVSS 4.3≤ 3.4.02025-04-10
CVE-2025-32230 [MEDIUM] CWE-80 CVE-2025-32230: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Theme
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Themeum Tutor LMS tutor.This issue affects Tutor LMS: from n/a through <= 3.4.0.
nvd
CVE-2021-24740P4MEDIUMCVSS 4.8fixed in 1.9.92021-10-18
CVE-2021-24740 [MEDIUM] CWE-79 CVE-2021-24740: The Tutor LMS WordPress plugin before 1.9.9 does not escape some of its settings before outputting t
The Tutor LMS WordPress plugin before 1.9.9 does not escape some of its settings before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
nvd
CVE-2022-2563P4MEDIUMCVSS 4.8fixed in 2.0.102022-10-17
CVE-2022-2563 [MEDIUM] CWE-79 CVE-2022-2563: The Tutor LMS WordPress plugin before 2.0.10 does not escape some course parameters, which could all
The Tutor LMS WordPress plugin before 2.0.10 does not escape some course parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
nvd
CVE-2023-49829P4MEDIUMCVSS 4.8≤ 2.2.42023-12-15
CVE-2023-49829 [MEDIUM] CWE-79 CVE-2023-49829: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Tutor LMS – eLearning and online course solution allows Stored XSS.This issue affects Tutor LMS – eLearning and online course solution: from n/a through 2.2.4.
nvd
CVE-2024-1503P4MEDIUMCVSS 4.3fixed in 2.6.22024-03-21
CVE-2024-1503 [MEDIUM] CWE-352 CVE-2024-1503: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Cross-Sit
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.1. This is due to missing or incorrect nonce validation on the erase_tutor_data() function. This makes it possible for unauthenticated attackers to deactivate the plugin and erase all data via
nvd
CVE-2023-2919P4MEDIUMCVSS 4.3fixed in 2.7.52024-09-10
CVE-2023-2919 [MEDIUM] CWE-352 CVE-2023-2919: The Tutor LMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, an
The Tutor LMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.4. This is due to missing or incorrect nonce validation on the 'addon_enable_disable' function. This makes it possible for unauthenticated attackers to enable or disable addons via a forged request granted they can trick a site administ
nvd
CVE-2025-47555P4LOWCVSS 3.8≤ 3.9.42026-01-22
CVE-2025-47555 [LOW] CWE-639 CVE-2025-47555: Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exp
Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.4.
nvd
CVE-2024-1128P4LOWCVSS 3.5fixed in 2.6.12024-02-29
CVE-2024-1128 [LOW] CWE-74 CVE-2024-1128: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to HTML Inje
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 2.6.0. This is due to insufficient sanitization of HTML input in the Q&A functionality. This makes it possible for authenticated attackers, with Student access and above, to inject arbitrary HTML onto a site, thou
nvd
CVE-2021-24242P4LOWCVSS 3.8fixed in 1.8.82021-04-22
CVE-2021-24242 [LOW] CWE-22 CVE-2021-24242: The Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.8 is affected by a
The Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.8 is affected by a local file inclusion vulnerability through the maliciously constructed sub_page parameter of the plugin's Tools, allowing high privilege users to include any local php file
nvd
← Previous3 / 3