Tutor LMS
Themeum
Developer
3.9.2
Latest version
100,000
Installations
7 days ago
Last updated
Vulnerability history
0 present
45 fixed
18 Mitigation rules
- Missing Authorization to Sensitive Information Exposure vulnerability<= 3.8.3Oct 25, 2025
- Missing Authorization to Unauthenticated Payment Status Update vulnerability<= 3.8.3Oct 25, 2025
- SQL Injection Vulnerability<= 3.7.4Sep 9, 2025
- HTML Injection vulnerability<= 3.4.0Apr 7, 2025
- Unauthenticated SQL Injection via rating_filter vulnerability<= 2.7.6Nov 21, 2024
- User Registration Setting Bypass to Unauthorized User Registration vulnerability<= 2.7.6Nov 21, 2024
- Cross-Site Request Forgery via 'addon_enable_disable' vulnerability<= 2.7.4Sep 10, 2024
- SQL Injection vulnerability<= 2.7.2Aug 16, 2024
- Cross Site Scripting (XSS) vulnerability<= 2.7.3Aug 9, 2024
- Broken Access Control vulnerability<= 2.7.3Aug 7, 2024
- Cross Site Request Forgery (CSRF) vulnerability<= 2.7.2Aug 1, 2024
- Cross Site Scripting (XSS) vulnerability<= 2.7.2Jul 10, 2024
- Path Traversal vulnerability<= 2.7.1Jun 27, 2024
- SQL Injection vulnerability<= 2.7.1Jun 27, 2024
- Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Quiz Attempt Deletion vulnerability<= 2.7.1Jun 7, 2024
- Missing Authorization vulnerability<= 2.7.0May 16, 2024
- Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Course Deletion vulnerability<= 2.7.0May 16, 2024
- Authenticated (Instructor+) SQL Injection vulnerability<= 2.7.0May 16, 2024
- Missing Authorization to Unauthenticated Limited Options Update vulnerability<= 2.6.2Apr 29, 2024
- Authenticated (Contributor+) Stored Cross-Site Scripting via 'tutor_instructor_list' Shortcode vulnerability<= 2.6.2Apr 25, 2024
- Cross-Site Request Forgery to Plugin Deactivation and Data Erase vulnerability<= 2.6.1Mar 12, 2024
- Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion vulnerability<= 2.6.1Mar 12, 2024
- Authenticated (Subscriber+) SQL Injection vulnerability<= 2.6.1Mar 12, 2024
- Missing Authorization vulnerability<= 2.6.0Feb 21, 2024
- Authenticated(Student+) HTML Injection via Q&A vulnerability<= 2.6.0Feb 21, 2024
- Cross Site Scripting (XSS) vulnerability<= 2.2.4Dec 5, 2023
- Subscriber+ Stored Cross-Site Scripting vulnerability< 2.3.0Oct 17, 2023
- Unauthenticated Access to Tutor LMS Lesson Resources via REST API vulnerability< 2.2.1Jun 22, 2023
- Unauthenticated SQL Injection vulnerability<= 2.1.10May 30, 2023
- Multiple Student+ SQL Injection vulnerability<= 2.2.0May 30, 2023
- Multiple Tutor Instructor+ SQL Injection vulnerability<= 2.1.10May 30, 2023
- Multiple Broken Access Control vulnerabilities<= 2.1.8May 24, 2023
- Reflected Cross-Site Scripting (XSS) vulnerability< 2.0.10Jan 12, 2023
- Authenticated Stored Cross-Site Scripting (XSS) vulnerability<= 2.0.9Sep 26, 2022
- Reflected Cross-Site Scripting (XSS) vulnerability<= 1.9.12Jan 10, 2022
- Stored Cross-Site Scripting (XSS) vulnerability<= 1.9.11Dec 27, 2021
- Reflected Cross-Site Scripting (XSS) vulnerability<= 1.9.11Dec 27, 2021
- Reflected Cross-Site Scripting (XSS) vulnerability<= 1.9.10Oct 19, 2021
- Multiple Stored Cross-Site Scripting (XSS) vulnerabilities<= 1.9.8Sep 20, 2021
- Reflected Cross-Site Scripting (XSS) vulnerability<= 1.9.5Aug 9, 2021
- Authenticated Local File Inclusion vulnerability<= 1.8.7Apr 5, 2021
- Multiple Blind/Time-based SQL Injection (SQLi) vulnerabilities<= 1.7.6Mar 15, 2021
- Multiple Union SQL Injection (SQLi) vulnerabilities<= 1.8.2Mar 15, 2021
- Unprotected AJAX Action to Privilege Escalation vulnerability<= 1.7.6Mar 15, 2021
- Cross-Site Request Forgery (CSRF) vulnerability<= 1.5.2Feb 4, 2020