Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
119 vulnerabilities by Themeum
CVE-2026-10736 (GCVE-0-2026-10736)
Vulnerability from cvelistv5 – Published: 2026-06-18 05:34 – Updated: 2026-06-18 15:52
VLAI
Title
Tutor LMS <= 3.9.11 - Authenticated (Administrator+) SQL Injection via 'data' Parameter
Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 3.9.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution |
Affected:
0 , ≤ 3.9.11
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10736",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T15:51:49.093996Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T15:52:02.866Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS \u2013 eLearning and online course solution",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "3.9.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Miguel Angel Mendez Z"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the \u0027data\u0027 parameter in all versions up to, and including, 3.9.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T05:34:24.933Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e193bb9-bb16-4a77-877b-fa0ab29a6c74?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.11/models/WithdrawModel.php#L118"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.11/models/WithdrawModel.php#L169"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.11/views/pages/withdraw_requests.php#L29"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.11/classes/Input.php#L78"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/models/WithdrawModel.php#L118"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/models/WithdrawModel.php#L169"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/views/pages/withdraw_requests.php#L29"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/classes/Input.php#L78"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3565513/tutor/tags/3.9.12/models/WithdrawModel.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-03T13:13:27.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-17T17:23:24.000Z",
"value": "Disclosed"
}
],
"title": "Tutor LMS \u003c= 3.9.11 - Authenticated (Administrator+) SQL Injection via \u0027data\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-10736",
"datePublished": "2026-06-18T05:34:24.933Z",
"dateReserved": "2026-06-03T12:58:16.370Z",
"dateUpdated": "2026-06-18T15:52:02.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22332 (GCVE-0-2026-22332)
Vulnerability from cvelistv5 – Published: 2026-06-17 09:50 – Updated: 2026-06-17 15:31
VLAI
Title
WordPress Tutor LMS Pro plugin <= 3.9.6 - SQL Injection vulnerability
Summary
Unauthenticated SQL Injection in Tutor LMS Pro <= 3.9.6 versions.
Severity
9.3 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Themeum | Tutor LMS Pro |
Affected:
n/a , ≤ 3.9.6
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22332",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T13:37:33.536941Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T15:31:50.291Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "tutor-pro",
"product": "Tutor LMS Pro",
"vendor": "Themeum",
"versions": [
{
"changes": [
{
"at": "3.9.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.9.6",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "0xd4rk5id3 | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unauthenticated SQL Injection in Tutor LMS Pro \u003c= 3.9.6 versions."
}
],
"value": "Unauthenticated SQL Injection in Tutor LMS Pro \u003c= 3.9.6 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T09:50:32.139Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/tutor-pro/vulnerability/wordpress-tutor-lms-pro-plugin-3-8-3-sql-injection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Tutor LMS Pro plugin to the latest available version (at least 3.9.7)."
}
],
"value": "Update the WordPress Tutor LMS Pro plugin to the latest available version (at least 3.9.7)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Tutor LMS Pro plugin \u003c= 3.9.6 - SQL Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-22332",
"datePublished": "2026-06-17T09:50:32.139Z",
"dateReserved": "2026-01-07T12:21:02.765Z",
"dateUpdated": "2026-06-17T15:31:50.291Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22330 (GCVE-0-2026-22330)
Vulnerability from cvelistv5 – Published: 2026-06-17 09:50 – Updated: 2026-06-17 15:31
VLAI
Title
WordPress Right Way theme <= 4.0 - Local File Inclusion vulnerability
Summary
Unauthenticated Local File Inclusion in Right Way <= 4.0 versions.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/theme/r… | vdb-entry |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22330",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T15:21:57.920953Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T15:31:54.333Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/themes",
"defaultStatus": "unaffected",
"packageName": "rightway",
"product": "Right Way",
"vendor": "Themeum",
"versions": [
{
"lessThanOrEqual": "4.0",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unauthenticated Local File Inclusion in Right Way \u003c= 4.0 versions."
}
],
"value": "Unauthenticated Local File Inclusion in Right Way \u003c= 4.0 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-252",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-252 PHP Local File Inclusion"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T09:50:30.277Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/theme/rightway/vulnerability/wordpress-right-way-theme-4-0-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Right Way theme \u003c= 4.0 - Local File Inclusion vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-22330",
"datePublished": "2026-06-17T09:50:30.277Z",
"dateReserved": "2026-01-07T12:21:02.765Z",
"dateUpdated": "2026-06-17T15:31:54.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22329 (GCVE-0-2026-22329)
Vulnerability from cvelistv5 – Published: 2026-06-17 09:50 – Updated: 2026-06-17 15:32
VLAI
Title
WordPress Skillate theme <= 1.2.10 - Reflected Cross Site Scripting (XSS) vulnerability
Summary
Unauthenticated Cross Site Scripting (XSS) in Skillate <= 1.2.10 versions.
Severity
7.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/theme/s… | vdb-entry |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22329",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-17T15:21:40.727677Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T15:32:27.549Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/themes",
"defaultStatus": "unaffected",
"packageName": "skillate",
"product": "Skillate",
"vendor": "Themeum",
"versions": [
{
"lessThanOrEqual": "1.2.10",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unauthenticated Cross Site Scripting (XSS) in Skillate \u003c= 1.2.10 versions."
}
],
"value": "Unauthenticated Cross Site Scripting (XSS) in Skillate \u003c= 1.2.10 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-17T09:50:29.401Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/theme/skillate/vulnerability/wordpress-skillate-theme-1-2-10-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Skillate theme \u003c= 1.2.10 - Reflected Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-22329",
"datePublished": "2026-06-17T09:50:29.401Z",
"dateReserved": "2026-01-07T12:21:02.765Z",
"dateUpdated": "2026-06-17T15:32:27.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40743 (GCVE-0-2026-40743)
Vulnerability from cvelistv5 – Published: 2026-06-15 20:18 – Updated: 2026-06-16 12:32
VLAI
Title
WordPress Tutor LMS plugin <= 3.9.7 - Broken Access Control vulnerability
Summary
Unauthenticated Broken Access Control in Tutor LMS <= 3.9.7 versions.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/wordpress/plugin/… | vdb-entry |
Impacted products
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40743",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-16T12:32:41.110637Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-16T12:32:51.257Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "tutor",
"product": "Tutor LMS",
"vendor": "Themeum",
"versions": [
{
"changes": [
{
"at": "3.9.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.9.7",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "lagi bljr | Patchstack Bug Bounty Program"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unauthenticated Broken Access Control in Tutor LMS \u003c= 3.9.7 versions."
}
],
"value": "Unauthenticated Broken Access Control in Tutor LMS \u003c= 3.9.7 versions."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-15T20:18:13.192Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-9-7-broken-access-control-vulnerability-2?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Tutor LMS Plugin to the latest available version (at least 3.9.8)."
}
],
"value": "Update the WordPress Tutor LMS Plugin to the latest available version (at least 3.9.8)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Tutor LMS plugin \u003c= 3.9.7 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-40743",
"datePublished": "2026-06-15T20:18:13.192Z",
"dateReserved": "2026-04-15T09:19:38.194Z",
"dateUpdated": "2026-06-16T12:32:51.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8206 (GCVE-0-2026-8206)
Vulnerability from cvelistv5 – Published: 2026-06-02 03:28 – Updated: 2026-06-02 10:47
VLAI
KEVintel KEV
Title
Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password'
Summary
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered on the site to their own email address.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Kirki – Freeform Page Builder, Website Builder & Customizer |
Affected:
6.0.0 , ≤ 6.0.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8206",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-02T10:39:27.000769Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T10:47:47.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Kirki \u2013 Freeform Page Builder, Website Builder \u0026 Customizer",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "6.0.6",
"status": "affected",
"version": "6.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "CHOIGYEONGMIN"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Kirki \u2013 Freeform Page Builder, Website Builder \u0026 Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered on the site to their own email address."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-02T03:28:49.326Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3b5630bd-5bce-4226-959f-5e81ae69b799?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.4/ComponentLibrary/controller/CompLibFormHandler.php#L330"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kirki/trunk/ComponentLibrary/controller/CompLibFormHandler.php#L330"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kirki/trunk/ComponentLibrary/controller/CompLibFormHandler.php#L48"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.4/ComponentLibrary/controller/CompLibFormHandler.php#L48"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kirki/trunk/ComponentLibrary/controller/ElementGenerator.php#L227"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.4/ComponentLibrary/controller/ElementGenerator.php#L227"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3530843/kirki"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-15T13:15:09.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-01T15:03:50.000Z",
"value": "Disclosed"
}
],
"title": "Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via \u0027handle_forgot_password\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8206",
"datePublished": "2026-06-02T03:28:49.326Z",
"dateReserved": "2026-05-09T01:00:17.472Z",
"dateUpdated": "2026-06-02T10:47:47.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8073 (GCVE-0-2026-8073)
Vulnerability from cvelistv5 – Published: 2026-05-19 18:33 – Updated: 2026-05-19 20:01
VLAI
Title
Kirki <= 6.0.6 - Unauthenticated Limited Arbitrary File Read and Deletion via downloadZIP
Summary
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Kirki – Freeform Page Builder, Website Builder & Customizer |
Affected:
0 , ≤ 6.0.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8073",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T19:59:34.814729Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T20:01:00.455Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Kirki \u2013 Freeform Page Builder, Website Builder \u0026 Customizer",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "6.0.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafie Muhammad"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Kirki \u2013 Freeform Page Builder, Website Builder \u0026 Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the \u0027downloadZIP\u0027 function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T18:33:52.658Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b073edd0-3f40-423e-976e-996b29caf66e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.1/includes/API.php#L60"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3535640/kirki/trunk/includes/API.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-15T13:15:09.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-19T06:24:51.000Z",
"value": "Disclosed"
}
],
"title": "Kirki \u003c= 6.0.6 - Unauthenticated Limited Arbitrary File Read and Deletion via downloadZIP"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8073",
"datePublished": "2026-05-19T18:33:52.658Z",
"dateReserved": "2026-05-07T09:46:46.353Z",
"dateUpdated": "2026-05-19T20:01:00.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8096 (GCVE-0-2026-8096)
Vulnerability from cvelistv5 – Published: 2026-05-19 18:33 – Updated: 2026-05-19 19:35
VLAI
Title
Kirki <= 6.0.6 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Submission Data Exposure via 'kirki_wp_admin_get_apis' Action
Summary
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to view all Kirki frontend forms and read stored visitor form submission data, including contact details, messages, and any other visitor-provided information submitted through site forms.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Kirki – Freeform Page Builder, Website Builder & Customizer |
Affected:
0 , ≤ 6.0.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8096",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T19:35:20.018131Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T19:35:37.550Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Kirki \u2013 Freeform Page Builder, Website Builder \u0026 Customizer",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "6.0.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Giang Bui"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Kirki \u2013 Freeform Page Builder, Website Builder \u0026 Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to view all Kirki frontend forms and read stored visitor form submission data, including contact details, messages, and any other visitor-provided information submitted through site forms."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T18:33:51.799Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1a4414b1-6a49-42f8-9927-93763d1502ce?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.4/includes/Ajax.php#L675"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3535640/kirki"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-15T13:15:09.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-19T06:22:39.000Z",
"value": "Disclosed"
}
],
"title": "Kirki \u003c= 6.0.6 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Submission Data Exposure via \u0027kirki_wp_admin_get_apis\u0027 Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8096",
"datePublished": "2026-05-19T18:33:51.799Z",
"dateReserved": "2026-05-07T13:14:53.291Z",
"dateUpdated": "2026-05-19T19:35:37.550Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6965 (GCVE-0-2026-6965)
Vulnerability from cvelistv5 – Published: 2026-05-13 05:29 – Updated: 2026-05-13 10:20
VLAI
Title
Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter
Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin's sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor's course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q&A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
53 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution |
Affected:
0 , ≤ 3.9.9
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6965",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T10:05:51.578265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T10:20:41.926Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS \u2013 eLearning and online course solution",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "3.9.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "molten bit"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin\u0027s sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor\u0027s course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q\u0026A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T05:29:37.082Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/55924ea3-373c-4297-a958-5670def1f6c0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L7829"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L7829"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L8020"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L8020"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L341"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L341"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1041"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1041"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2045"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L2045"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L586"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L586"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Announcements.php#L105"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Announcements.php#L105"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L219"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L219"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L297"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L297"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L294"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L294"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L243"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L243"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1997"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L1997"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L507"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L507"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L888"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L888"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L339"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L339"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L186"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L186"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1007"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1007"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L7829"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L8020"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L341"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1041"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2045"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L586"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Announcements.php#L105"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L219"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L297"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L294"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L243"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1997"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L507"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L888"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L339"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L186"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1007"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3518400%40tutor\u0026new=3518400%40tutor\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-24T16:17:05.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-12T17:18:06.000Z",
"value": "Disclosed"
}
],
"title": "Tutor LMS \u003c= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via \u0027course\u0027 GET Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6965",
"datePublished": "2026-05-13T05:29:37.082Z",
"dateReserved": "2026-04-24T16:01:40.686Z",
"dateUpdated": "2026-05-13T10:20:41.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5502 (GCVE-0-2026-5502)
Vulnerability from cvelistv5 – Published: 2026-04-17 03:36 – Updated: 2026-04-17 14:28
VLAI
Title
Tutor LMS <= 3.9.8 - Authenticated (Subscriber+) Arbitrary Course Content Manipulation via tutor_update_course_content_order
Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutor_update_course_content_order() function. The function only validates the nonce (CSRF protection) but does not verify whether the user has permission to manage course content. The can_user_manage() authorization check only executes when the 'content_parent' parameter is present in the request. When this parameter is omitted, the function proceeds directly to save_course_content_order() which manipulates the wp_posts table without any authorization validation. This makes it possible for authenticated attackers with subscriber-level access and above to detach all lessons from any topic, move lessons between topics, and modify the menu_order of course content, effectively allowing them to disrupt the structure of any course on the site.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution |
Affected:
0 , ≤ 3.9.8
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5502",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T14:27:27.845133Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T14:28:01.492Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS \u2013 eLearning and online course solution",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "3.9.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "momopon1415"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutor_update_course_content_order() function. The function only validates the nonce (CSRF protection) but does not verify whether the user has permission to manage course content. The can_user_manage() authorization check only executes when the \u0027content_parent\u0027 parameter is present in the request. When this parameter is omitted, the function proceeds directly to save_course_content_order() which manipulates the wp_posts table without any authorization validation. This makes it possible for authenticated attackers with subscriber-level access and above to detach all lessons from any topic, move lessons between topics, and modify the menu_order of course content, effectively allowing them to disrupt the structure of any course on the site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T03:36:45.463Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f32ae42d-dd1f-41d7-8ae4-ddec56d78ae6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1700"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1789"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1789"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1700"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3505142/tutor/tags/3.9.9/classes/Course.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-03T16:04:07.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-16T15:10:34.000Z",
"value": "Disclosed"
}
],
"title": "Tutor LMS \u003c= 3.9.8 - Authenticated (Subscriber+) Arbitrary Course Content Manipulation via tutor_update_course_content_order"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5502",
"datePublished": "2026-04-17T03:36:45.463Z",
"dateReserved": "2026-04-03T15:48:58.659Z",
"dateUpdated": "2026-04-17T14:28:01.492Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6080 (GCVE-0-2026-6080)
Vulnerability from cvelistv5 – Published: 2026-04-17 03:36 – Updated: 2026-04-20 14:59
VLAI
Title
Tutor LMS <= 3.9.8 - Authenticated (Admin+) SQL Injection via 'date' Parameter
Summary
The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb->prepare(). This makes it possible for authenticated attackers with Admin-level access and above to append additional SQL queries and extract sensitive information from the database.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution |
Affected:
0 , ≤ 3.9.8
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6080",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-17T14:30:59.779711Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T14:59:23.108Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS \u2013 eLearning and online course solution",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "3.9.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the \u0027date\u0027 parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb-\u003eprepare(). This makes it possible for authenticated attackers with Admin-level access and above to append additional SQL queries and extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T03:36:44.234Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6dd041ff-a0a3-4d1f-83e0-6ec2a978e9cf?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/classes/Instructors_List.php#L376"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Instructors_List.php#L376"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/views/pages/instructors.php#L38"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/views/pages/instructors.php#L38"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/classes/Instructors_List.php#L451"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Instructors_List.php#L451"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3505142/tutor/tags/3.9.9/classes/Instructors_List.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-10T15:07:56.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-16T15:15:35.000Z",
"value": "Disclosed"
}
],
"title": "Tutor LMS \u003c= 3.9.8 - Authenticated (Admin+) SQL Injection via \u0027date\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6080",
"datePublished": "2026-04-17T03:36:44.234Z",
"dateReserved": "2026-04-10T14:52:47.051Z",
"dateUpdated": "2026-04-20T14:59:23.108Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40740 (GCVE-0-2026-40740)
Vulnerability from cvelistv5 – Published: 2026-04-15 10:21 – Updated: 2026-04-29 09:52
VLAI
Title
WordPress Tutor LMS plugin <= 3.9.7 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.7.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Date Public
2026-04-15 12:20
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-40740",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T14:51:16.174464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T14:52:07.805Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "tutor",
"product": "Tutor LMS",
"vendor": "Themeum",
"versions": [
{
"changes": [
{
"at": "3.9.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.9.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "3diklab | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-15T12:20:47.004Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Tutor LMS: from n/a through \u003c= 3.9.7.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through \u003c= 3.9.7."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T09:52:04.818Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-9-7-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Tutor LMS plugin \u003c= 3.9.7 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-40740",
"datePublished": "2026-04-15T10:21:34.311Z",
"dateReserved": "2026-04-15T09:19:38.194Z",
"dateUpdated": "2026-04-29T09:52:04.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3371 (GCVE-0-2026-3371)
Vulnerability from cvelistv5 – Published: 2026-04-11 01:25 – Updated: 2026-04-13 15:15
VLAI
Title
Tutor LMS <= 3.9.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Course Content Modification
Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler's `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution |
Affected:
0 , ≤ 3.9.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3371",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T15:10:52.681017Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T15:15:07.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS \u2013 eLearning and online course solution",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "3.9.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hunter Jensen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler\u0027s `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-11T01:25:01.083Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9cf0430-8577-449a-aefe-d7bf606fe2de?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1687"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1755"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L252"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Ftutor/tags/3.9.7\u0026new_path=%2Ftutor/tags/3.9.8"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-27T19:33:20.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-10T12:00:50.000Z",
"value": "Disclosed"
}
],
"title": "Tutor LMS \u003c= 3.9.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Course Content Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3371",
"datePublished": "2026-04-11T01:25:01.083Z",
"dateReserved": "2026-02-27T22:04:08.540Z",
"dateUpdated": "2026-04-13T15:15:07.829Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3358 (GCVE-0-2026-3358)
Vulnerability from cvelistv5 – Published: 2026-04-11 01:24 – Updated: 2026-04-13 15:15
VLAI
Title
Tutor LMS <= 3.9.7 - Missing Authorization to Authenticated (Subscriber+) Unauthorized Private Course Enrollment
Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with Subscriber-level access or above to enroll in private courses by sending a crafted POST request with the target course ID. The enrollment record is created in the database and the private course title and enrollment status are exposed in the subscriber's dashboard, though WordPress core access control prevents the subscriber from viewing the actual course content (returns 404). Enrollment in private courses should be restricted to users with the `read_private_posts` capability.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution |
Affected:
0 , ≤ 3.9.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3358",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T15:09:07.243718Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T15:15:08.860Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS \u2013 eLearning and online course solution",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "3.9.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mohammad Amin Hajian"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with Subscriber-level access or above to enroll in private courses by sending a crafted POST request with the target course ID. The enrollment record is created in the database and the private course title and enrollment status are exposed in the subscriber\u0027s dashboard, though WordPress core access control prevents the subscriber from viewing the actual course content (returns 404). Enrollment in private courses should be restricted to users with the `read_private_posts` capability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-11T01:24:56.945Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c173356-7228-4253-bb28-2c2e11af76fd?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2066"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L134"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2053"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2989"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Ftutor/tags/3.9.7\u0026new_path=%2Ftutor/tags/3.9.8"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/classes/Course.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-27T18:49:18.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-10T11:46:32.000Z",
"value": "Disclosed"
}
],
"title": "Tutor LMS \u003c= 3.9.7 - Missing Authorization to Authenticated (Subscriber+) Unauthorized Private Course Enrollment"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3358",
"datePublished": "2026-04-11T01:24:56.945Z",
"dateReserved": "2026-02-27T18:34:05.013Z",
"dateUpdated": "2026-04-13T15:15:08.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3360 (GCVE-0-2026-3360)
Vulnerability from cvelistv5 – Published: 2026-04-10 01:24 – Updated: 2026-04-10 17:05
VLAI
Title
Tutor LMS <= 3.9.7 - Missing Authorization to Unauthenticated Arbitrary Billing Profile Overwrite via 'order_id' Parameter
Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()` function. The function accepts an attacker-controlled `order_id` parameter and uses it to look up order data, then writes billing fields to the order owner's profile (`$order_data->user_id`) without verifying the requester's identity or ownership. Because the Tutor nonce (`_tutor_nonce`) is exposed on public frontend pages, this makes it possible for unauthenticated attackers to overwrite the billing profile (name, email, phone, address) of any user who has an incomplete manual order, by sending a crafted POST request with a guessed or enumerated `order_id`.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution |
Affected:
0 , ≤ 3.9.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3360",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T17:05:29.061402Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T17:05:46.556Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS \u2013 eLearning and online course solution",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "3.9.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()` function. The function accepts an attacker-controlled `order_id` parameter and uses it to look up order data, then writes billing fields to the order owner\u0027s profile (`$order_data-\u003euser_id`) without verifying the requester\u0027s identity or ownership. Because the Tutor nonce (`_tutor_nonce`) is exposed on public frontend pages, this makes it possible for unauthenticated attackers to overwrite the billing profile (name, email, phone, address) of any user who has an incomplete manual order, by sending a crafted POST request with a guessed or enumerated `order_id`."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T01:24:58.426Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f365519-dd0a-4f39-880d-7216ce2f7d1e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Tutor.php#L563"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/CheckoutController.php#L108"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/CheckoutController.php#L1059"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/ecommerce/CheckoutController.php#L1059"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/ecommerce/CheckoutController.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-27T20:06:17.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-09T12:40:11.000Z",
"value": "Disclosed"
}
],
"title": "Tutor LMS \u003c= 3.9.7 - Missing Authorization to Unauthenticated Arbitrary Billing Profile Overwrite via \u0027order_id\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3360",
"datePublished": "2026-04-10T01:24:58.426Z",
"dateReserved": "2026-02-27T19:38:55.529Z",
"dateUpdated": "2026-04-10T17:05:46.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39638 (GCVE-0-2026-39638)
Vulnerability from cvelistv5 – Published: 2026-04-08 08:30 – Updated: 2026-04-29 09:52
VLAI
Title
WordPress Qubely plugin <= 1.8.14 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Qubely qubely allows Stored XSS.This issue affects Qubely: from n/a through <= 1.8.14.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Date Public
2026-04-08 10:28
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-39638",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-13T18:48:45.472112Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T18:48:48.559Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "qubely",
"product": "Qubely",
"vendor": "Themeum",
"versions": [
{
"lessThanOrEqual": "1.8.14",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jitlada | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-08T10:28:35.888Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Themeum Qubely qubely allows Stored XSS.\u003cp\u003eThis issue affects Qubely: from n/a through \u003c= 1.8.14.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Themeum Qubely qubely allows Stored XSS.This issue affects Qubely: from n/a through \u003c= 1.8.14."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T09:52:03.258Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/qubely/vulnerability/wordpress-qubely-plugin-1-8-14-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Qubely plugin \u003c= 1.8.14 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-39638",
"datePublished": "2026-04-08T08:30:31.510Z",
"dateReserved": "2026-04-07T10:57:43.491Z",
"dateUpdated": "2026-04-29T09:52:03.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25406 (GCVE-0-2026-25406)
Vulnerability from cvelistv5 – Published: 2026-03-25 16:14 – Updated: 2026-04-28 16:14
VLAI
Title
WordPress Tutor LMS Pro plugin <= 3.9.4 - Broken Authentication vulnerability
Summary
Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeum Tutor LMS Pro tutor-pro allows Authentication Abuse.This issue affects Tutor LMS Pro: from n/a through <= 3.9.4.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Themeum | Tutor LMS Pro |
Affected:
0 , ≤ 3.9.4
(custom)
|
Date Public
2026-04-22 14:18
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25406",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T15:55:18.724746Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T01:40:14.501Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "tutor-pro",
"product": "Tutor LMS Pro",
"vendor": "Themeum",
"versions": [
{
"lessThanOrEqual": "3.9.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Phat RiO | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:18:26.471Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeum Tutor LMS Pro tutor-pro allows Authentication Abuse.\u003cp\u003eThis issue affects Tutor LMS Pro: from n/a through \u003c= 3.9.4.\u003c/p\u003e"
}
],
"value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeum Tutor LMS Pro tutor-pro allows Authentication Abuse.This issue affects Tutor LMS Pro: from n/a through \u003c= 3.9.4."
}
],
"impacts": [
{
"capecId": "CAPEC-114",
"descriptions": [
{
"lang": "en",
"value": "Authentication Abuse"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:14:57.820Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/tutor-pro/vulnerability/wordpress-tutor-lms-pro-plugin-3-9-4-broken-authentication-vulnerability?_s_id=cve"
}
],
"title": "WordPress Tutor LMS Pro plugin \u003c= 3.9.4 - Broken Authentication vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-25406",
"datePublished": "2026-03-25T16:14:48.521Z",
"dateReserved": "2026-02-02T12:53:19.001Z",
"dateUpdated": "2026-04-28T16:14:57.820Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-32223 (GCVE-0-2025-32223)
Vulnerability from cvelistv5 – Published: 2026-03-19 08:05 – Updated: 2026-04-29 09:51
VLAI
Title
WordPress Tutor LMS plugin <= 3.9.4 - Insecure Direct Object References (IDOR) vulnerability
Summary
Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.4.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Date Public
2026-04-01 16:38
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32223",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-19T15:02:03.202503Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T15:02:51.483Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "tutor",
"product": "Tutor LMS",
"vendor": "Themeum",
"versions": [
{
"changes": [
{
"at": "3.9.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.9.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "daroo | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:38:39.036Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Tutor LMS: from n/a through \u003c= 3.9.4.\u003c/p\u003e"
}
],
"value": "Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through \u003c= 3.9.4."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-29T09:51:54.944Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-9-4-insecure-direct-object-references-idor-vulnerability-2?_s_id=cve"
}
],
"title": "WordPress Tutor LMS plugin \u003c= 3.9.4 - Insecure Direct Object References (IDOR) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-32223",
"datePublished": "2026-03-19T08:05:59.217Z",
"dateReserved": "2025-04-04T10:01:50.054Z",
"dateUpdated": "2026-04-29T09:51:54.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0953 (GCVE-0-2026-0953)
Vulnerability from cvelistv5 – Published: 2026-03-10 05:26 – Updated: 2026-04-08 17:09
VLAI
Title
Tutor LMS Pro <= 3.9.5 - Authentication Bypass via Social Login
Summary
The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim's email address.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-287 - Improper Authentication
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Tutor LMS Pro |
Affected:
0 , ≤ 3.9.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0953",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T15:58:52.010194Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T16:52:06.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS Pro",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "3.9.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Tan Phat"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim\u0027s email address."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:09:29.685Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/92a120ac-66ae-4678-a87a-e62da885d50b?source=cve"
},
{
"url": "https://tutorlms.com/releases/id/393/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-14T19:18:04.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-09T16:33:12.000Z",
"value": "Disclosed"
}
],
"title": "Tutor LMS Pro \u003c= 3.9.5 - Authentication Bypass via Social Login"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0953",
"datePublished": "2026-03-10T05:26:28.745Z",
"dateReserved": "2026-01-14T19:02:05.215Z",
"dateUpdated": "2026-04-08T17:09:29.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23799 (GCVE-0-2026-23799)
Vulnerability from cvelistv5 – Published: 2026-03-05 05:53 – Updated: 2026-04-28 16:14
VLAI
Title
WordPress Tutor LMS plugin <= 3.9.5 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.5.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Date Public
2026-04-22 14:19
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-23799",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T19:40:19.381146Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T15:44:04.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "tutor",
"product": "Tutor LMS",
"vendor": "Themeum",
"versions": [
{
"changes": [
{
"at": "3.9.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.9.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S. (m3ez) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:19:17.427Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Tutor LMS: from n/a through \u003c= 3.9.5.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through \u003c= 3.9.5."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:14:46.898Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-9-5-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Tutor LMS plugin \u003c= 3.9.5 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-23799",
"datePublished": "2026-03-05T05:53:48.754Z",
"dateReserved": "2026-01-16T14:15:17.504Z",
"dateUpdated": "2026-04-28T16:14:46.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13673 (GCVE-0-2025-13673)
Vulnerability from cvelistv5 – Published: 2026-02-28 07:25 – Updated: 2026-04-08 16:32
VLAI
Title
Tutor LMS <= 3.9.6 - Unauthenticated SQL Injection via coupon_code
Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This vulnerability was partially mitigated in versions 3.9.4 and 3.9.6.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution |
Affected:
0 , ≤ 3.9.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13673",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-02T15:30:14.379811Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-02T15:30:38.628Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS \u2013 eLearning and online course solution",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "3.9.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the \u0027coupon_code\u0027 parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This vulnerability was partially mitigated in versions 3.9.4 and 3.9.6."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:32:19.793Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/007df869-dacb-4b0a-9c98-50586934cdab?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3469242/tutor"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-25T18:35:38.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-27T18:54:35.000Z",
"value": "Disclosed"
}
],
"title": "Tutor LMS \u003c= 3.9.6 - Unauthenticated SQL Injection via coupon_code"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13673",
"datePublished": "2026-02-28T07:25:35.002Z",
"dateReserved": "2025-11-25T18:00:47.434Z",
"dateUpdated": "2026-04-08T16:32:19.793Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1371 (GCVE-0-2026-1371)
Vulnerability from cvelistv5 – Published: 2026-02-03 07:31 – Updated: 2026-04-08 17:03
VLAI
Title
Tutor LMS <= 3.9.5 - Authenticated (Subscriber+) Information Disclosure in Coupon Details via 'tutor_coupon_details' AJAX Action
Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces but does not verify user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive coupon information including coupon codes, discount amounts, usage statistics, and course/bundle applications.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution |
Affected:
0 , ≤ 3.9.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1371",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T15:45:26.969407Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T15:45:34.642Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS \u2013 eLearning and online course solution",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "3.9.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces but does not verify user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive coupon information including coupon codes, discount amounts, usage statistics, and course/bundle applications."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:03:21.310Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f5c5f64-a864-4ce1-9080-19f7c4418307?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/ecommerce/CouponController.php#L106"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/ecommerce/CouponController.php#L658"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/ecommerce/CouponController.php?contextall=1\u0026old=3422766\u0026old_path=%2Ftutor%2Ftrunk%2Fecommerce%2FCouponController.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-23T16:16:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-02T18:49:17.000Z",
"value": "Disclosed"
}
],
"title": "Tutor LMS \u003c= 3.9.5 - Authenticated (Subscriber+) Information Disclosure in Coupon Details via \u0027tutor_coupon_details\u0027 AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1371",
"datePublished": "2026-02-03T07:31:23.720Z",
"dateReserved": "2026-01-23T16:00:38.156Z",
"dateUpdated": "2026-04-08T17:03:21.310Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1375 (GCVE-0-2026-1375)
Vulnerability from cvelistv5 – Published: 2026-02-03 07:31 – Updated: 2026-04-08 16:51
VLAI
Title
Tutor LMS <= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion
Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution |
Affected:
0 , ≤ 3.9.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1375",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T15:45:56.367297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T15:46:05.937Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS \u2013 eLearning and online course solution",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "3.9.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
},
{
"lang": "en",
"type": "finder",
"value": "Tharadol Suksamran"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:51:47.055Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e95b32b-c050-41eb-8fce-461257420eb6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L289"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L437"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L463"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/classes/Course_List.php?contextall=1\u0026old=3339576\u0026old_path=%2Ftutor%2Ftrunk%2Fclasses%2FCourse_List.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-23T18:20:12.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-02T18:41:05.000Z",
"value": "Disclosed"
}
],
"title": "Tutor LMS \u003c= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1375",
"datePublished": "2026-02-03T07:31:23.100Z",
"dateReserved": "2026-01-23T18:04:32.011Z",
"dateUpdated": "2026-04-08T16:51:47.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24584 (GCVE-0-2026-24584)
Vulnerability from cvelistv5 – Published: 2026-01-23 14:28 – Updated: 2026-04-28 16:14
VLAI
Title
WordPress Tutor LMS BunnyNet Integration plugin <= 1.0.0 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration allows DOM-Based XSS.This issue affects Tutor LMS BunnyNet Integration: from n/a through <= 1.0.0.
Severity
5.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Themeum | Tutor LMS BunnyNet Integration |
Affected:
0 , ≤ 1.0.0
(custom)
|
Date Public
2026-04-01 16:04
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24584",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T19:55:27.383679Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T14:31:00.503Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "tutor-lms-bunnynet-integration",
"product": "Tutor LMS BunnyNet Integration",
"vendor": "Themeum",
"versions": [
{
"changes": [
{
"at": "1.0.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nabil Irawan | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:04:46.846Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Themeum Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration allows DOM-Based XSS.\u003cp\u003eThis issue affects Tutor LMS BunnyNet Integration: from n/a through \u003c= 1.0.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Themeum Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration allows DOM-Based XSS.This issue affects Tutor LMS BunnyNet Integration: from n/a through \u003c= 1.0.0."
}
],
"impacts": [
{
"capecId": "CAPEC-588",
"descriptions": [
{
"lang": "en",
"value": "DOM-Based XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:14:49.758Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/tutor-lms-bunnynet-integration/vulnerability/wordpress-tutor-lms-bunnynet-integration-plugin-1-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Tutor LMS BunnyNet Integration plugin \u003c= 1.0.0 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-24584",
"datePublished": "2026-01-23T14:28:59.642Z",
"dateReserved": "2026-01-23T12:32:07.880Z",
"dateUpdated": "2026-04-28T16:14:49.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47555 (GCVE-0-2025-47555)
Vulnerability from cvelistv5 – Published: 2026-01-22 16:51 – Updated: 2026-04-28 16:12
VLAI
Title
WordPress Tutor LMS plugin <= 3.9.4 - Insecure Direct Object References (IDOR) vulnerability
Summary
Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.4.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://patchstack.com/database/Wordpress/Plugin/… | vdb-entry |
Date Public
2026-04-22 14:21
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47555",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-27T18:20:53.705150Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-27T18:20:56.736Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "tutor",
"product": "Tutor LMS",
"vendor": "Themeum",
"versions": [
{
"changes": [
{
"at": "3.9.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.9.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S. (m3ez) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-22T14:21:47.333Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Tutor LMS: from n/a through \u003c= 3.9.4.\u003c/p\u003e"
}
],
"value": "Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through \u003c= 3.9.4."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:12:45.379Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-9-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"title": "WordPress Tutor LMS plugin \u003c= 3.9.4 - Insecure Direct Object References (IDOR) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-47555",
"datePublished": "2026-01-22T16:51:40.623Z",
"dateReserved": "2025-05-07T09:40:00.791Z",
"dateUpdated": "2026-04-28T16:12:45.379Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0548 (GCVE-0-2026-0548)
Vulnerability from cvelistv5 – Published: 2026-01-20 14:26 – Updated: 2026-04-08 16:35
VLAI
Title
Tutor LMS – eLearning and online course solution <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion
Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution |
Affected:
0 , ≤ 3.9.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0548",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T14:53:15.549458Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:53:42.335Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS \u2013 eLearning and online course solution",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "3.9.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "M Indra Purnama"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:35:25.884Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e475e02-494a-4ad0-a83c-d027c3a32989?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/tutor/tags/3.9.4/classes/User.php\u0026new_path=/tutor/tags/3.9.5/classes/User.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-21T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-01T17:15:10.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-20T01:46:19.000Z",
"value": "Disclosed"
}
],
"title": "Tutor LMS \u2013 eLearning and online course solution \u003c= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0548",
"datePublished": "2026-01-20T14:26:31.808Z",
"dateReserved": "2026-01-01T16:58:14.820Z",
"dateUpdated": "2026-04-08T16:35:25.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13935 (GCVE-0-2025-13935)
Vulnerability from cvelistv5 – Published: 2026-01-09 07:22 – Updated: 2026-04-08 17:02
VLAI
Title
Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Course Completion
Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. This makes it possible for authenticated attackers, with subscriber level access and above, to mark any course as completed.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution |
Affected:
0 , ≤ 3.9.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13935",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T18:10:36.671555Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T18:10:43.988Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS \u2013 eLearning and online course solution",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "3.9.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the \u0027mark_course_complete\u0027 function. This makes it possible for authenticated attackers, with subscriber level access and above, to mark any course as completed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:02:31.130Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7b8b111a-9626-41f4-8a13-51f576af0257?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/classes/Course.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-19T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-12-02T22:38:12.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-08T18:44:27.000Z",
"value": "Disclosed"
}
],
"title": "Tutor LMS \u2013 eLearning and online course solution \u003c= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Course Completion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13935",
"datePublished": "2026-01-09T07:22:11.913Z",
"dateReserved": "2025-12-02T22:22:21.248Z",
"dateUpdated": "2026-04-08T17:02:31.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13934 (GCVE-0-2025-13934)
Vulnerability from cvelistv5 – Published: 2026-01-09 07:22 – Updated: 2026-04-08 16:56
VLAI
Title
Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Course Enrollment Bypass
Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX handler. This makes it possible for authenticated attackers, with subscriber level access and above, to enroll themselves in any course without going through the proper purchase flow.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution |
Affected:
0 , ≤ 3.9.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13934",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T19:06:22.553353Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T19:11:47.452Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS \u2013 eLearning and online course solution",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "3.9.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX handler. This makes it possible for authenticated attackers, with subscriber level access and above, to enroll themselves in any course without going through the proper purchase flow."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:56:00.874Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5de212c9-5c2e-4713-b1ce-022dd84520c3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/classes/Course.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-19T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-12-02T22:38:03.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-08T18:43:50.000Z",
"value": "Disclosed"
}
],
"title": "Tutor LMS \u2013 eLearning and online course solution \u003c= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Course Enrollment Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13934",
"datePublished": "2026-01-09T07:22:11.542Z",
"dateReserved": "2025-12-02T22:22:20.669Z",
"dateUpdated": "2026-04-08T16:56:00.874Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13628 (GCVE-0-2025-13628)
Vulnerability from cvelistv5 – Published: 2026-01-09 07:22 – Updated: 2026-04-08 16:49
VLAI
Title
Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon Modification
Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution |
Affected:
0 , ≤ 3.9.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13628",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-09T19:06:39.210342Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T19:11:27.064Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS \u2013 eLearning and online course solution",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "3.9.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the \u0027bulk_action_handler\u0027 and \u0027coupon_permanent_delete\u0027 functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:49:55.422Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46f71f7b-7326-47b6-a23a-68a40f5bb56b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/ecommerce/CouponController.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-15T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-11-24T21:55:21.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-08T19:03:12.000Z",
"value": "Disclosed"
}
],
"title": "Tutor LMS \u2013 eLearning and online course solution \u003c= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13628",
"datePublished": "2026-01-09T07:22:10.781Z",
"dateReserved": "2025-11-24T21:38:45.491Z",
"dateUpdated": "2026-04-08T16:49:55.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13679 (GCVE-0-2025-13679)
Vulnerability from cvelistv5 – Published: 2026-01-08 07:04 – Updated: 2026-04-08 16:34
VLAI
Title
Tutor LMS <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via tutor_order_details
Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution |
Affected:
0 , ≤ 3.9.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13679",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-08T15:04:02.747945Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T15:04:10.378Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS \u2013 eLearning and online course solution",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "3.9.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:34:11.809Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0830d0c3-99c0-423e-99ab-f0c1cbec52d9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3422766/tutor/tags/3.9.4/ecommerce/OrderController.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-25T19:20:25.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-07T18:46:16.000Z",
"value": "Disclosed"
}
],
"title": "Tutor LMS \u003c= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via tutor_order_details"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13679",
"datePublished": "2026-01-08T07:04:12.744Z",
"dateReserved": "2025-11-25T18:50:29.670Z",
"dateUpdated": "2026-04-08T16:34:11.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}