Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-05-13
CVE-2026-6965 - Tutor Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin's sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated…
PLUGIN
Tutor
CVE-2026-6965
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-6080 - Tutor Plugin
The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb->prepare(). This makes it possible for authenticated attackers with Admin-level access and above to append additional SQL queries and extract sensitive information from the database.
PLUGIN
Tutor
CVE-2026-6080
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-5502 - Tutor Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutor_update_course_content_order() function. The function only validates the nonce (CSRF protection) but does not verify whether the user has permission to manage course content. The can_user_manage() authorization check only executes when the 'content_parent' parameter is present in the request. When this parameter is omitted, the function proceeds directly to save_course_content_order() which manipulates the wp_posts table…
PLUGIN
Tutor
CVE-2026-5502
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-3358 - Tutor Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with Subscriber-level access or above to enroll in private courses by sending a crafted POST request with the…
PLUGIN
Tutor
CVE-2026-3358
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-3371 - Tutor Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler's `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content,…
PLUGIN
Tutor
CVE-2026-3371
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-3360 - Tutor Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()` function. The function accepts an attacker-controlled `order_id` parameter and uses it to look up order data, then writes billing fields to the order owner's profile (`$order_data->user_id`) without verifying the requester's identity or ownership. Because the Tutor nonce (`_tutor_nonce`) is exposed on public frontend pages, this makes it possible for unauthenticated…
PLUGIN
Tutor
CVE-2026-3360
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1375 - Tutor Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests.
PLUGIN
Tutor
CVE-2026-1375
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1371 - Tutor Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces but does not verify user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive coupon information including coupon codes, discount amounts, usage statistics, and course/bundle applications.
PLUGIN
Tutor
CVE-2026-1371
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-6639 - Tutor Plugin
The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.3 due to missing validation on a user controlled key when viewing and editing assignments through the tutor_assignment_submit() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and edit assignment submissions of other students.
PLUGIN
Tutor
CVE-2025-6639
Risk Score
Threat Entry
Updated 2025-12-05
CVE-2025-11564 - Tutor Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check while verifying webhook signatures on the "verifyAndCreateOrderData" function in all versions up to, and including, 3.8.3. This makes it possible for unauthenticated attackers to bypass payment verification and mark orders as paid by submitting forged webhook requests with `payment_type` set to 'recurring'.
PLUGIN
Tutor
CVE-2025-11564
Risk Score
Threat Entry
Updated 2025-08-13
CVE-2025-6184 - Tutor Plugin
The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter used in the get_submitted_assignments() function in all versions up to, and including, 3.7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Tutor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Only the Pro…
PLUGIN
Tutor
CVE-2025-6184
Risk Score
Threat Entry
Updated 2024-09-26
CVE-2023-2919 - Tutor Plugin
The Tutor LMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.4. This is due to missing or incorrect nonce validation on the 'addon_enable_disable' function. This makes it possible for unauthenticated attackers to enable or disable addons via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Tutor
CVE-2023-2919
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-5438 - Tutor Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.7.1 via the 'attempt_delete' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Instructor-level access and above, to delete arbitrary quiz attempts.
PLUGIN
Tutor
CVE-2024-5438
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-4902 - Tutor Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the ‘course_id’ parameter in all versions up to, and including, 2.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with admin access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Tutor
CVE-2024-4902
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-4318 - Tutor Plugin
The Tutor LMS plugin for WordPress is vulnerable to time-based SQL Injection via the ‘question_id’ parameter in versions up to, and including, 2.7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Instructor-level permissions and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Tutor
CVE-2024-4318
Risk Score
Threat Entry
Updated 2025-01-24
CVE-2024-4279 - Tutor Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutor_course_delete' function due to missing validation on a user controlled key. This can allow authenticated attackers, with Instructor-level permissions and above, to delete any course.
PLUGIN
Tutor
CVE-2024-4279
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-1503 - Tutor Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.1. This is due to missing or incorrect nonce validation on the erase_tutor_data() function. This makes it possible for unauthenticated attackers to deactivate the plugin and erase all data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This requires the "Erase upon uninstallation" option to be enabled.
PLUGIN
Tutor
CVE-2024-1503
Risk Score
Threat Entry
Updated 2025-01-15
CVE-2024-1751 - Tutor Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the question_id parameter in all versions up to, and including, 2.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber/student access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Tutor
CVE-2024-1751
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-3133 - Tutor Plugin
The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowing unauthenticated attackers to access information from Lessons that should not be publicly available.
PLUGIN
Tutor
CVE-2023-3133
Risk Score