Themeum

By the Year

In 2026 there have been 30 vulnerabilities in Themeum with an average score of 6.4 out of ten. Last year, in 2025 Themeum had 14 security vulnerabilities published. That is, 16 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.69.

Recent Themeum Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2026-10736	Jun 18, 2026	Tutor LMS 3.9.11 Authenticated 'data' SQLi for admin users The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 3.9.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.	Tutor Lms
CVE-2026-22332	Jun 17, 2026	Unauthenticated SQL Injection in Tutor LMS Pro <=3.9.6 Unauthenticated SQL Injection in Tutor LMS Pro <= 3.9.6 versions.	Tutor Lms
CVE-2026-22330	Jun 17, 2026	Unauthenticated LFI in Right Way <=4.0 Unauthenticated Local File Inclusion in Right Way <= 4.0 versions.
CVE-2026-22329	Jun 17, 2026	Skillate <=1.2.10 Unauth XSS Vulnerability (CVE-2026-22329) Unauthenticated Cross Site Scripting (XSS) in Skillate <= 1.2.10 versions.
CVE-2026-40743	Jun 15, 2026	Unauth BUC in Tutor LMS <=3.9.7 Unauthenticated Broken Access Control in Tutor LMS <= 3.9.7 versions.	Tutor Lms
CVE-2026-8206	Jun 02, 2026	Privilege Escalation via Account Takeover in Kirki Freeform Builder 6.0.06.0.6 The Kirki Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered on the site to their own email address.
CVE-2026-8073	May 19, 2026	CVE-2026-8073: Kirki Freeform Plugin <6.0.6 Arbitrary File Deletion via downloadZIP The Kirki Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory.
CVE-2026-8096	May 19, 2026	Kirki Plugin 6.0.6: Auth Bypass (Subscriber+) Leak Form Data The Kirki Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to view all Kirki frontend forms and read stored visitor form submission data, including contact details, messages, and any other visitor-provided information submitted through site forms.
CVE-2026-6965	May 13, 2026	Tutor LMS WP Plug IDOR (3.9.9) The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin's sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor's course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q&A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content.	Tutor Lms
CVE-2026-5502	Apr 17, 2026	Unauthorized Course Content Manipulation in Tutor LMS 3.9.8 The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutor_update_course_content_order() function. The function only validates the nonce (CSRF protection) but does not verify whether the user has permission to manage course content. The can_user_manage() authorization check only executes when the 'content_parent' parameter is present in the request. When this parameter is omitted, the function proceeds directly to save_course_content_order() which manipulates the wp_posts table without any authorization validation. This makes it possible for authenticated attackers with subscriber-level access and above to detach all lessons from any topic, move lessons between topics, and modify the menu_order of course content, effectively allowing them to disrupt the structure of any course on the site.	Tutor Lms
CVE-2026-6080	Apr 17, 2026	SQLi in Tutor LMS plugin 3.9.8 via date param The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb->prepare(). This makes it possible for authenticated attackers with Admin-level access and above to append additional SQL queries and extract sensitive information from the database.	Tutor Lms
CVE-2026-40740	Apr 15, 2026	Themeum Tutor LMS 3.9.7 Missing Auth Exploitable Access Control Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.7.	Tutor Lms
CVE-2026-3371	Apr 11, 2026	IDOR in Tutor LMS <=3.9.7 via save_course_content_order() AJAX The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler's `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs.	Tutor Lms
CVE-2026-3358	Apr 11, 2026	Unauthorized Private Course Enroll via pst bypass in Tutor LMS <=3.9.7 The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with Subscriber-level access or above to enroll in private courses by sending a crafted POST request with the target course ID. The enrollment record is created in the database and the private course title and enrollment status are exposed in the subscriber's dashboard, though WordPress core access control prevents the subscriber from viewing the actual course content (returns 404). Enrollment in private courses should be restricted to users with the `read_private_posts` capability.	Tutor Lms
CVE-2026-3360	Apr 10, 2026	Tutor LMS 3.9.7 IDOR: Unauth Write Billing via order_id The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()` function. The function accepts an attacker-controlled `order_id` parameter and uses it to look up order data, then writes billing fields to the order owner's profile (`$order_data->user_id`) without verifying the requester's identity or ownership. Because the Tutor nonce (`_tutor_nonce`) is exposed on public frontend pages, this makes it possible for unauthenticated attackers to overwrite the billing profile (name, email, phone, address) of any user who has an incomplete manual order, by sending a crafted POST request with a guessed or enumerated `order_id`.	Tutor Lms
CVE-2026-39638	Apr 08, 2026	Themeum Qubely <=1.8.14 Stored XSS via Unsanitized Input Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Qubely qubely allows Stored XSS.This issue affects Qubely: from n/a through <= 1.8.14.	Qubely
CVE-2026-25406	Mar 25, 2026	Tutor LMS Pro <=3.9.4 Auth Bypass via Alternate Path Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeum Tutor LMS Pro tutor-pro allows Authentication Abuse.This issue affects Tutor LMS Pro: from n/a through <= 3.9.8.	Tutor Lms
CVE-2025-32223	Mar 19, 2026	Tutor LMS 3.9.4 Auth Bypass via UserControlled Key (Themeum) Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.4.	Tutor Lms
CVE-2026-0953	Mar 10, 2026	Tutor LMS Pro <=3.9.5 Auth Bypass via Social Login Addon The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim's email address.	Tutor Lms
CVE-2026-23799	Mar 05, 2026	Missing Auth in Themeum Tutor LMS <=3.9.5 Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.5.	Tutor Lms
CVE-2025-13673	Feb 28, 2026	SQLi via coupon_code in Tutor LMS <= 3.9.6 (Mitigated 3.9.4/3.9.6) The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This vulnerability was partially mitigated in versions 3.9.4 and 3.9.6.	Tutor Lms
CVE-2026-1371	Feb 03, 2026	WordPress Tutor LMS v3.9.5 Sensitive Info Exposure via ajax_coupon_details The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces but does not verify user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive coupon information including coupon codes, discount amounts, usage statistics, and course/bundle applications.	Tutor Lms
CVE-2026-1375	Feb 03, 2026	Tutor LMS IDOR in v<=3.9.5 Modify/Delete arbitrary courses The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests.	Tutor Lms
CVE-2026-24584	Jan 23, 2026	Themeum Tutor LMS BunnyNet Integration XSS (<=1.0.0) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration allows DOM-Based XSS.This issue affects Tutor LMS BunnyNet Integration: from n/a through <= 1.0.0.	Tutor Lms
CVE-2025-47555	Jan 22, 2026	Tutor LMS 3.9.4 Auth Bypass via User-Cont Key Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.4.	Tutor Lms
CVE-2026-0548	Jan 20, 2026	Tutor LMS WP Plugin <3.9.4 Unauthorized Attachment Deletion via delete_existing_user_photo The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site.	Tutor Lms
CVE-2025-13935	Jan 09, 2026	Tutor LMS <=3.9.2 Unauthorized Course Completion via mark_course_complete The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. This makes it possible for authenticated attackers, with subscriber level access and above, to mark any course as completed.	Tutor Lms
CVE-2025-13934	Jan 09, 2026	Tutor LMS WordPress Plugin <3.9.3 Unauthorized Course Enrolment via AJAX The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX handler. This makes it possible for authenticated attackers, with subscriber level access and above, to enroll themselves in any course without going through the proper purchase flow.	Tutor Lms
CVE-2025-13628	Jan 09, 2026	Tutor LMS WP Plugin: unauthorized coupon deletion (3.9.3) The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons.	Tutor Lms
CVE-2025-13679	Jan 08, 2026	Unauthorized Access in Tutor LMS <=3.9.3 get_order_by_id() The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address.	Tutor Lms
CVE-2025-63042	Dec 09, 2025	Stored XSS in Themeum Tutor LMS Elementor Addon 3.0.1 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Tutor LMS Elementor Addons tutor-lms-elementor-addons allows Stored XSS.This issue affects Tutor LMS Elementor Addons: from n/a through <= 3.0.1.	Tutor Lms Elementor Addons
CVE-2025-6639	Oct 25, 2025	Insecure Direct Object Reference (IDOR) in Tutor LMS Pro <=3.8.3 The Tutor LMS Pro eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.3 due to missing validation on a user controlled key when viewing and editing assignments through the tutor_assignment_submit() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and edit assignment submissions of other students.	Tutor Lms
CVE-2025-11564	Oct 25, 2025	Tutor LMS WP Plugin 3.8.3: Missing Cap Check Enables Unauth Order Pay Bypass The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check while verifying webhook signatures on the "verifyAndCreateOrderData" function in all versions up to, and including, 3.8.3. This makes it possible for unauthenticated attackers to bypass payment verification and mark orders as paid by submitting forged webhook requests with `payment_type` set to 'recurring'.	Tutor Lms
CVE-2025-6680	Oct 25, 2025	Sensitive Info Exposure in Tutor LMS 3.8.3 (WordPress plugin) The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.8.3. This makes it possible for authenticated attackers, with tutor-level access and above, to view assignments for courses they don't teach which may contain sensitive information.	Tutor Lms
CVE-2025-58249	Sep 22, 2025	Qubely <=1.8.14: Sensitive Data Exposure via Sent Data Insertion of Sensitive Information Into Sent Data vulnerability in Themeum Qubely qubely allows Retrieve Embedded Sensitive Data.This issue affects Qubely: from n/a through <= 1.8.14.	Qubely
CVE-2025-58663	Sep 22, 2025	Themeum Qubely 1.8.14 Missing Auth via Incorrect ACP Levels Missing Authorization vulnerability in Themeum Qubely qubely allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Qubely: from n/a through <= 1.8.14.	Qubely
CVE-2025-5835	Jul 25, 2025	Droip Plugin Missing Capability Check (WP <=2.2.0) The Droip plugin for WordPress is vulnerable to unauthorized modification and access of data due to a missing capability check on the droip_post_apis() function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform many actions as the AJAX hooks to several functions. Some potential impacts include arbitrary post deletion, arbitrary post creation, post duplication, settings update, user manipulation, and much more.	Droip
CVE-2025-5831	Jul 25, 2025	Droip WP Plugin <=2.2.0: Arbitrary File Upload (RCE) The Droip plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the make_google_font_offline() function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.	Droip
CVE-2025-32230	Apr 10, 2025	Themeum Tutor LMS v<=3.4.0: XSS via Improper Neutralization Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Themeum Tutor LMS. This issue affects Tutor LMS: from n/a through 3.4.0.	Tutor Lms
CVE-2025-31892	Apr 01, 2025	WP Crowdfunding <=2.1.13: Stored XSS Vulnerability Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum WP Crowdfunding wp-crowdfunding allows Stored XSS.This issue affects WP Crowdfunding: from n/a through <= 2.1.15.	Wp Crowdfunding
CVE-2025-1508	Mar 12, 2025	WP Crowdfunding <=2.1.13 - Unrestricted Data Download via Missing Cap Check The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_data action in all versions up to, and including, 2.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to download all of a site's post content when WooCommerce is installed.	Wp Crowdfunding
CVE-2024-13228	Mar 11, 2025	Qubely Advanced Gutenberg Blocks <=1.8.13 SIE via qubely_get_content The Qubely Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.13 via the 'qubely_get_content'. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, password-protected, draft, and trashed post data.	Qubely
CVE-2025-26767	Feb 16, 2025	Qubely 1.8.12 Stored XSS via Improper Input Neutralization Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Qubely qubely allows Stored XSS.This issue affects Qubely: from n/a through <= 1.8.12.	Qubely
CVE-2024-9601	Feb 14, 2025	Stored XSS in Qubely Gutenberg Blocks 1.8.12 via align/UniqueID The Qubely Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the align and 'UniqueID' parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	Qubely
CVE-2024-54282	Dec 13, 2024	WP Mega Menu <1.4.2 Deserialization (Obj Injection) in Themeum Deserialization of Untrusted Data vulnerability in Themeum WP Mega Menu wp-megamenu allows Object Injection.This issue affects WP Mega Menu: from n/a through <= 1.4.2.	Wp Megamenu
CVE-2023-41870	Dec 13, 2024	Themeum WP Crowdfunding Missing Auth Vulnerability (2.1.5) Missing Authorization vulnerability in Themeum WP Crowdfunding wp-crowdfunding allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Crowdfunding: from n/a through <= 2.1.5.	Wp Crowdfunding
CVE-2024-11910	Dec 13, 2024	Stored XSS Vulnerability in WP Crowdfunding Plugin The WP Crowdfunding plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wp-crowdfunding/search block in all versions up to, and including, 2.1.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.	Wp Crowdfunding
CVE-2024-11911	Dec 13, 2024	WP Crowdfunding Plugin: Unauthorized Plugin Installation Vulnerability The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the install_woocommerce_plugin() function action in all versions up to, and including, 2.1.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install WooCommerce. This has a limited impact on most sites because WooCommerce is a requirement.	Wp Crowdfunding
CVE-2024-53816	Dec 09, 2024	Tutor LMS Elementor Addons <=2.1.5 Missing Auth Vulnerability Missing Authorization vulnerability in Themeum Tutor LMS Elementor Addons tutor-lms-elementor-addons.This issue affects Tutor LMS Elementor Addons: from n/a through <= 2.1.5.	Tutor Lms Elementor Addons
CVE-2024-10393	Nov 21, 2024	Tutor LMS Plugin for WordPress: Unauthenticated User Registration Bypass Vulnerability The Tutor LMS plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 2.7.6. This is due to a missing check for the 'users_can_register' option in the 'register_instructor' function. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled.	Tutor Lms