Themeum Tutor Lms
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Themeum Tutor Lms.
By the Year
In 2026 there have been 14 vulnerabilities in Themeum Tutor Lms with an average score of 6.5 out of ten. Last year, in 2025 Tutor Lms had 4 security vulnerabilities published. That is, 10 more vulnerabilities have already been reported in 2026 as compared to last year. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.52.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 14 | 6.52 |
| 2025 | 4 | 5.00 |
| 2024 | 28 | 6.73 |
| 2023 | 7 | 7.31 |
| 2022 | 2 | 5.45 |
| 2021 | 10 | 6.14 |
| 2020 | 1 | 0.00 |
It may take a day or so for new Tutor Lms vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Themeum Tutor Lms Security Vulnerabilities
Tutor LMS Pro <=3.9.4 Auth Bypass via Alternate Path
CVE-2026-25406
8.8 - High
- March 25, 2026
Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeum Tutor LMS Pro tutor-pro allows Authentication Abuse.This issue affects Tutor LMS Pro: from n/a through <= 3.9.4.
Authentication Bypass Using an Alternate Path or Channel
Tutor LMS 3.9.4 Auth Bypass via UserControlled Key (Themeum)
CVE-2025-32223
6.5 - Medium
- March 19, 2026
Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through 3.9.4.
Insecure Direct Object Reference / IDOR
Tutor LMS Pro <=3.9.5 Auth Bypass via Social Login Addon
CVE-2026-0953
9.8 - Critical
- March 10, 2026
The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim's email address.
authentification
Missing Auth in Themeum Tutor LMS <=3.9.5
CVE-2026-23799
6.5 - Medium
- March 05, 2026
Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.5.
AuthZ
SQLi via coupon_code in Tutor LMS <= 3.9.6 (Mitigated 3.9.4/3.9.6)
CVE-2025-13673
7.5 - High
- February 28, 2026
The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This vulnerability was partially mitigated in versions 3.9.4 and 3.9.6.
SQL Injection
WordPress Tutor LMS v3.9.5 Sensitive Info Exposure via ajax_coupon_details
CVE-2026-1371
5.3 - Medium
- February 03, 2026
The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces but does not verify user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive coupon information including coupon codes, discount amounts, usage statistics, and course/bundle applications.
Information Disclosure
Tutor LMS IDOR in v<=3.9.5 Modify/Delete arbitrary courses
CVE-2026-1375
8.1 - High
- February 03, 2026
The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests.
Insecure Direct Object Reference / IDOR
Themeum Tutor LMS BunnyNet Integration XSS (<=1.0.0)
CVE-2026-24584
5.9 - Medium
- January 23, 2026
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration allows DOM-Based XSS.This issue affects Tutor LMS BunnyNet Integration: from n/a through <= 1.0.0.
XSS
Tutor LMS 3.9.4 Auth Bypass via User-Cont Key
CVE-2025-47555
8.1 - High
- January 22, 2026
Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.4.
Insecure Direct Object Reference / IDOR
Tutor LMS WP Plugin <3.9.4 Unauthorized Attachment Deletion via delete_existing_user_photo
CVE-2026-0548
5.4 - Medium
- January 20, 2026
The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site.
AuthZ
Tutor LMS <=3.9.2 Unauthorized Course Completion via mark_course_complete
CVE-2025-13935
4.3 - Medium
- January 09, 2026
The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. This makes it possible for authenticated attackers, with subscriber level access and above, to mark any course as completed.
AuthZ
Tutor LMS WordPress Plugin <3.9.3 Unauthorized Course Enrolment via AJAX
CVE-2025-13934
4.3 - Medium
- January 09, 2026
The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX handler. This makes it possible for authenticated attackers, with subscriber level access and above, to enroll themselves in any course without going through the proper purchase flow.
AuthZ
Tutor LMS WP Plugin: unauthorized coupon deletion (3.9.3)
CVE-2025-13628
4.3 - Medium
- January 09, 2026
The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons.
AuthZ
Unauthorized Access in Tutor LMS <=3.9.3 get_order_by_id()
CVE-2025-13679
6.5 - Medium
- January 08, 2026
The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address.
AuthZ
Insecure Direct Object Reference (IDOR) in Tutor LMS Pro <=3.8.3
CVE-2025-6639
5.4 - Medium
- October 25, 2025
The Tutor LMS Pro eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.3 due to missing validation on a user controlled key when viewing and editing assignments through the tutor_assignment_submit() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and edit assignment submissions of other students.
AuthZ
Tutor LMS WP Plugin 3.8.3: Missing Cap Check Enables Unauth Order Pay Bypass
CVE-2025-11564
5.3 - Medium
- October 25, 2025
The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check while verifying webhook signatures on the "verifyAndCreateOrderData" function in all versions up to, and including, 3.8.3. This makes it possible for unauthenticated attackers to bypass payment verification and mark orders as paid by submitting forged webhook requests with `payment_type` set to 'recurring'.
AuthZ
Sensitive Info Exposure in Tutor LMS 3.8.3 (WordPress plugin)
CVE-2025-6680
4.3 - Medium
- October 25, 2025
The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.8.3. This makes it possible for authenticated attackers, with tutor-level access and above, to view assignments for courses they don't teach which may contain sensitive information.
Authorization
Themeum Tutor LMS v<=3.4.0: XSS via Improper Neutralization
CVE-2025-32230
- April 10, 2025
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Themeum Tutor LMS. This issue affects Tutor LMS: from n/a through 3.4.0.
Basic XSS
SQL Injection Vulnerability in Tutor LMS Plugin for WordPress
CVE-2024-10400
7.5 - High
- November 21, 2024
The Tutor LMS plugin for WordPress is vulnerable to SQL Injection via the rating_filter parameter in all versions up to, and including, 2.7.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
SQL Injection
Tutor LMS Plugin for WordPress: Unauthenticated User Registration Bypass Vulnerability
CVE-2024-10393
5.3 - Medium
- November 21, 2024
The Tutor LMS plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 2.7.6. This is due to a missing check for the 'users_can_register' option in the 'register_instructor' function. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled.
Authorization
Missing Auth in Tutor LMS <=2.7.3 (Themeum)
CVE-2024-43142
8.8 - High
- November 01, 2024
Missing Authorization vulnerability in Themeum Tutor LMS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through 2.7.3.
AuthZ
CSRF in Tutor LMS 2.7.4: addon_enable_disable vuln
CVE-2023-2919
4.3 - Medium
- September 10, 2024
The Tutor LMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.4. This is due to missing or incorrect nonce validation on the 'addon_enable_disable' function. This makes it possible for unauthenticated attackers to enable or disable addons via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Session Riding
Tutor LMS Pro 2.7.2 Cap Check Bypass Enables Unauthorized Admin Actions
CVE-2024-5784
7.1 - High
- August 30, 2024
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized administrative actions execution due to a missing capability checks on multiple functions like treport_quiz_atttempt_delete and tutor_gc_class_action in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with the subscriber-level access and above, to preform an administrative actions on the site, like comments, posts or users deletion, viewing notifications, etc.
AuthZ
CSRF in Themeum Tutor LMS (v2.7.2 and prior)
CVE-2024-39645
8.8 - High
- August 26, 2024
Cross-Site Request Forgery (CSRF) vulnerability in Themeum Tutor LMS.This issue affects Tutor LMS: from n/a through 2.7.2.
Session Riding
SQL Injection in Themeum Tutor LMS v2.7.2 (WordPress)
CVE-2024-43282
7.2 - High
- August 18, 2024
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS.This issue affects Tutor LMS: from n/a through 2.7.2.
SQL Injection
Improper Neutralization of Input (XSS) in Tutor LMS (pre-2.7.3)
CVE-2024-43231
5.4 - Medium
- August 12, 2024
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themeum Tutor LMS allows Stored XSS.This issue affects Tutor LMS: from n/a through 2.7.3.
XSS
Unauthorized Data Mod in Tutor LMS Migration Tool v2.2.0
CVE-2024-1804
4.3 - Medium
- July 27, 2024
The Tutor LMS Migration Tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tutor_import_from_xml function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to import courses.
AuthZ
Themeum Tutor LMS 2.7.2 Stored XSS Vulnerability
CVE-2024-37947
4.8 - Medium
- July 20, 2024
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themeum Tutor LMS allows Stored XSS.This issue affects Tutor LMS: from n/a through 2.7.2.
XSS
Tutor LMS Path Traversal via Themeum before 2.7.2
CVE-2024-37266
7.2 - High
- July 09, 2024
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Themeum Tutor LMS allows Path Traversal.This issue affects Tutor LMS: from n/a through 2.7.1.
Directory traversal
Themeum Tutor LMS v<2.7.1: SQL Injection via unsanitized input
CVE-2024-37256
7.2 - High
- July 09, 2024
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS.This issue affects Tutor LMS: from n/a through 2.7.1.
SQL Injection
Missing Auth in Tutor LMS up to 2.1.8 (WP Plugin)
CVE-2023-25799
8.8 - High
- June 11, 2024
Missing Authorization vulnerability in Themeum Tutor LMS.This issue affects Tutor LMS: from n/a through 2.1.8.
AuthZ
Tutor LMS 2.7.1 Direct Object Reference: Delete Quiz Attempts
CVE-2024-5438
4.3 - Medium
- June 07, 2024
The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.7.1 via the 'attempt_delete' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Instructor-level access and above, to delete arbitrary quiz attempts.
Insecure Direct Object Reference / IDOR
Timebased SQLi in Tutor LMS <=2.7.1 via course_id
CVE-2024-4902
7.2 - High
- June 07, 2024
The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the course_id parameter in all versions up to, and including, 2.7.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with admin access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. CVE-2024-37256 is likely a duplicate of this issue.
SQL Injection
Unauthorized Access & SQL Injection in Tutor LMS Pro (WordPress)
CVE-2024-4352
8.8 - High
- May 16, 2024
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'get_calendar_materials' function. The plugin is also vulnerable to SQL Injection via the year parameter of that function due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AuthZ
Tutor LMS Pro 2.7.0 Cap Bypass in authenticate: Priv Esc
CVE-2024-4351
8.8 - High
- May 16, 2024
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'authenticate' function in all versions up to, and including, 2.7.0. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to gain control of an existing administrator account.
SQL Injection
Unauthorized Access in Tutor LMS Pro 2.7.0 WordPress Plugin
CVE-2024-4222
7.3 - High
- May 16, 2024
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options.
AuthZ
Tutor LMS WP Plugin <=2.7.0: Unauth Data Access/Modification
CVE-2024-4223
9.8 - Critical
- May 16, 2024
The Tutor LMS plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to add, modify, or delete data.
AuthZ
Tutor LMS 2.7.0-< SQLi via question_id (time-based)
CVE-2024-4318
8.8 - High
- May 16, 2024
The Tutor LMS plugin for WordPress is vulnerable to time-based SQL Injection via the question_id parameter in versions up to, and including, 2.7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Instructor-level permissions and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
SQL Injection
Tutor LMS 2.7.0 Insecure DOR: Course delete via tutor_course_delete
CVE-2024-4279
6.5 - Medium
- May 16, 2024
The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutor_course_delete' function due to missing validation on a user controlled key. This can allow authenticated attackers, with Instructor-level permissions and above, to delete any course.
Insecure Direct Object Reference / IDOR
WordPress Tutor LMS <=2.6.2 Cap Check Missing Enables Unauth User Reg
CVE-2024-3553
6.5 - Medium
- May 02, 2024
The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the hide_notices function in all versions up to, and including, 2.6.2. This makes it possible for unauthenticated attackers to enable user registration on sites that may have it disabled.
AuthZ
Stored XSS in Tutor LMS v2.6.2 via tutor_instructor_list shortcode
CVE-2024-3994
5.4 - Medium
- April 25, 2024
The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tutor_instructor_list' shortcode in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
XSS
CVE-2024-1503: Tutor LMS CSRF in erase_tutor_data() up to v2.6.1
CVE-2024-1503
4.3 - Medium
- March 21, 2024
The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.1. This is due to missing or incorrect nonce validation on the erase_tutor_data() function. This makes it possible for unauthenticated attackers to deactivate the plugin and erase all data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This requires the "Erase upon uninstallation" option to be enabled.
Session Riding
Tutor LMS <=2.6.1 Unauthorized Data Loss via Missing Cap Check
CVE-2024-1502
5.4 - Medium
- March 21, 2024
The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tutor_delete_announcement() function in all versions up to, and including, 2.6.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary posts.
AuthZ
Tutor LMS <=2.6.1 Time-based SQLi via question_id
CVE-2024-1751
8.8 - High
- March 13, 2024
The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the question_id parameter in all versions up to, and including, 2.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber/student access or higher, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
SQL Injection
Tutor LMS <=2.6.0 WP Plugin - Auth. Bypass Q&A Access (CVE-2024-1133)
CVE-2024-1133
4.3 - Medium
- February 29, 2024
The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of restricted Q&A content due to a missing capability check when interacting with questions in all versions up to, and including, 2.6.0. This makes it possible for authenticated attackers, with subscriber access or higher, to interact with questions in courses in which they are not enrolled including private courses.
AuthZ
Tutor LMS 2.6.0: Q&A HTML Injection (Auth Student+)
CVE-2024-1128
5.4 - Medium
- February 29, 2024
The Tutor LMS eLearning and online course solution plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 2.6.0. This is due to insufficient sanitization of HTML input in the Q&A functionality. This makes it possible for authenticated attackers, with Student access and above, to inject arbitrary HTML onto a site, though it does not allow Cross-Site Scripting
Injection
Themeum Tutor LMS 2.2.4 Unpatched Stored XSS (Improper Neutralization of Input)
CVE-2023-49829
4.8 - Medium
- December 15, 2023
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Tutor LMS eLearning and online course solution allows Stored XSS.This issue affects Tutor LMS eLearning and online course solution: from n/a through 2.2.4.
XSS
Tutor LMS prior 2.1.10 SQL Injection
CVE-2023-25700
9.8 - Critical
- November 03, 2023
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS allows SQL Injection.This issue affects Tutor LMS: from n/a through 2.1.10.
SQL Injection
Tutor LMS 2.2.0 SQL Injection via Unsanitized User Input
CVE-2023-25800
8.8 - High
- November 03, 2023
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS allows SQL Injection.This issue affects Tutor LMS: from n/a through 2.2.0.
SQL Injection
Themeum Tutor LMS SQLi before 2.1.11 via special element neutralization
CVE-2023-25990
8.8 - High
- November 03, 2023
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS allows SQL Injection.This issue affects Tutor LMS: from n/a through 2.1.10.
SQL Injection
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Themeum Tutor Lms or by Themeum? Click the Watch button to subscribe.
