Tutor LMS
Themeum
Developer
3.9.8
Latest version
100,000
Installations
No date
Last updated
Vulnerability history
0 present
56 patched
21 Mitigation rules
- Insecure Direct Object References (IDOR) vulnerability<= 3.9.416/03/2026
- Unauthenticated SQL Injection via coupon_code vulnerability<= 3.9.602/03/2026
- Broken Access Control vulnerability<= 3.9.525/02/2026
- Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion vulnerability<= 3.9.503/02/2026
- Authenticated (Subscriber+) Information Disclosure in Coupon Details via 'tutor_coupon_details' AJAX Action vulnerability<= 3.9.502/02/2026
- Missing Authorization to Authenticated (Subscriber+) Arbitrary Course Completion vulnerability<= 3.9.230/01/2026
- WordPress Tutor LMS - eLearning and online course solution plugin <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion vulnerability<= 3.9.420/01/2026
- WordPress Tutor LMS - eLearning and online course solution plugin <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon Modification vulnerability<= 3.9.308/01/2026
- WordPress Tutor LMS - eLearning and online course solution plugin <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Course Enrollment Bypass vulnerability<= 3.9.308/01/2026
- Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via tutor_order_details vulnerability<= 3.9.308/01/2026
- Insecure Direct Object References (IDOR) vulnerability<= 3.9.402/01/2026
- Missing Authorization to Sensitive Information Exposure vulnerability<= 3.8.325/10/2025
- Missing Authorization to Unauthenticated Payment Status Update vulnerability<= 3.8.325/10/2025
- SQL Injection Vulnerability<= 3.7.409/09/2025
- HTML Injection vulnerability<= 3.4.007/04/2025
- Unauthenticated SQL Injection via rating_filter vulnerability<= 2.7.621/11/2024
- User Registration Setting Bypass to Unauthorized User Registration vulnerability<= 2.7.621/11/2024
- Cross-Site Request Forgery via 'addon_enable_disable' vulnerability<= 2.7.410/09/2024
- SQL Injection vulnerability<= 2.7.216/08/2024
- Cross Site Scripting (XSS) vulnerability<= 2.7.309/08/2024
- Broken Access Control vulnerability<= 2.7.307/08/2024
- Cross Site Request Forgery (CSRF) vulnerability<= 2.7.201/08/2024
- Cross Site Scripting (XSS) vulnerability<= 2.7.210/07/2024
- Path Traversal vulnerability<= 2.7.127/06/2024
- SQL Injection vulnerability<= 2.7.127/06/2024
- Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Quiz Attempt Deletion vulnerability<= 2.7.107/06/2024
- Missing Authorization vulnerability<= 2.7.016/05/2024
- Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Course Deletion vulnerability<= 2.7.016/05/2024
- Authenticated (Instructor+) SQL Injection vulnerability<= 2.7.016/05/2024
- Missing Authorization to Unauthenticated Limited Options Update vulnerability<= 2.6.229/04/2024
- Authenticated (Contributor+) Stored Cross-Site Scripting via 'tutor_instructor_list' Shortcode vulnerability<= 2.6.225/04/2024
- Cross-Site Request Forgery to Plugin Deactivation and Data Erase vulnerability<= 2.6.112/03/2024
- Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion vulnerability<= 2.6.112/03/2024
- Authenticated (Subscriber+) SQL Injection vulnerability<= 2.6.112/03/2024
- Missing Authorization vulnerability<= 2.6.021/02/2024
- Authenticated(Student+) HTML Injection via Q&A vulnerability<= 2.6.021/02/2024
- Cross Site Scripting (XSS) vulnerability<= 2.2.405/12/2023
- Subscriber+ Stored Cross-Site Scripting vulnerability< 2.3.017/10/2023
- Unauthenticated Access to Tutor LMS Lesson Resources via REST API vulnerability< 2.2.122/06/2023
- Unauthenticated SQL Injection vulnerability<= 2.1.1030/05/2023
- Multiple Student+ SQL Injection vulnerability<= 2.2.030/05/2023
- Multiple Tutor Instructor+ SQL Injection vulnerability<= 2.1.1030/05/2023
- Multiple Broken Access Control vulnerabilities<= 2.1.824/05/2023
- Reflected Cross-Site Scripting (XSS) vulnerability< 2.0.1012/01/2023
- Authenticated Stored Cross-Site Scripting (XSS) vulnerability<= 2.0.926/09/2022
- Reflected Cross-Site Scripting (XSS) vulnerability<= 1.9.1210/01/2022
- Stored Cross-Site Scripting (XSS) vulnerability<= 1.9.1127/12/2021
- Reflected Cross-Site Scripting (XSS) vulnerability<= 1.9.1127/12/2021
- Reflected Cross-Site Scripting (XSS) vulnerability<= 1.9.1019/10/2021
- Multiple Stored Cross-Site Scripting (XSS) vulnerabilities<= 1.9.820/09/2021
- Reflected Cross-Site Scripting (XSS) vulnerability<= 1.9.509/08/2021
- Authenticated Local File Inclusion vulnerability<= 1.8.705/04/2021
- Multiple Blind/Time-based SQL Injection (SQLi) vulnerabilities<= 1.7.615/03/2021
- Multiple Union SQL Injection (SQLi) vulnerabilities<= 1.8.215/03/2021
- Unprotected AJAX Action to Privilege Escalation vulnerability<= 1.7.615/03/2021
- Cross-Site Request Forgery (CSRF) vulnerability<= 1.5.204/02/2020