Search

Find a vulnerability

Search criteria

    70 vulnerabilities found for Tutor LMS – eLearning and online course solution by themeum

    CVE-2026-13443 (GCVE-0-2026-13443)

    Vulnerability from nvd – Published: 2026-07-01 03:43 – Updated: 2026-07-01 10:32
    VLAI
    Title
    Tutor LMS <= 3.9.13 - Authenticated (Author+) Stored Cross-Site Scripting via Lesson Attachment Title
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Lesson Attachment Title in all versions up to, and including, 3.9.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    skyv3il
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13443",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T10:27:48.827451Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T10:32:06.393Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.13",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "skyv3il"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Lesson Attachment Title in all versions up to, and including, 3.9.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T03:43:35.748Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7483762c-5356-4844-90a9-511d9ec48625?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.13/templates/global/attachments.php#L34"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.13/classes/Utils.php#L1720"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.13/classes/Utils.php#L1688"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/templates/global/attachments.php#L34"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L1720"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L1688"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3590029%40tutor\u0026new=3590029%40tutor\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-26T16:52:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-30T14:59:54.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u003c= 3.9.13 - Authenticated (Author+) Stored Cross-Site Scripting via Lesson Attachment Title"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-13443",
        "datePublished": "2026-07-01T03:43:35.748Z",
        "dateReserved": "2026-06-26T16:35:32.693Z",
        "dateUpdated": "2026-07-01T10:32:06.393Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10736 (GCVE-0-2026-10736)

    Vulnerability from nvd – Published: 2026-06-18 05:34 – Updated: 2026-06-18 15:52
    VLAI
    Title
    Tutor LMS <= 3.9.11 - Authenticated (Administrator+) SQL Injection via 'data' Parameter
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 3.9.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Credits
    Miguel Angel Mendez Z
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10736",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-18T15:51:49.093996Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-18T15:52:02.866Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.11",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Miguel Angel Mendez Z"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the \u0027data\u0027 parameter in all versions up to, and including, 3.9.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-18T05:34:24.933Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e193bb9-bb16-4a77-877b-fa0ab29a6c74?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.11/models/WithdrawModel.php#L118"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.11/models/WithdrawModel.php#L169"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.11/views/pages/withdraw_requests.php#L29"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.11/classes/Input.php#L78"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/models/WithdrawModel.php#L118"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/models/WithdrawModel.php#L169"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/views/pages/withdraw_requests.php#L29"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/classes/Input.php#L78"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3565513/tutor/tags/3.9.12/models/WithdrawModel.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-03T13:13:27.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-17T17:23:24.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u003c= 3.9.11 - Authenticated (Administrator+) SQL Injection via \u0027data\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-10736",
        "datePublished": "2026-06-18T05:34:24.933Z",
        "dateReserved": "2026-06-03T12:58:16.370Z",
        "dateUpdated": "2026-06-18T15:52:02.866Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6965 (GCVE-0-2026-6965)

    Vulnerability from nvd – Published: 2026-05-13 05:29 – Updated: 2026-05-13 10:20
    VLAI
    Title
    Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin's sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor's course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q&A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    URL Tags
    https://www.wordfence.com/threat-intel/vulnerabil…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/changeset?sfp_…
    Impacted products
    Credits
    molten bit
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6965",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T10:05:51.578265Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T10:20:41.926Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "molten bit"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin\u0027s sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor\u0027s course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q\u0026A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-13T05:29:37.082Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/55924ea3-373c-4297-a958-5670def1f6c0?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L7829"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L7829"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L8020"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L8020"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L341"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L341"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1041"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1041"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2045"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L2045"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L586"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L586"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Announcements.php#L105"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Announcements.php#L105"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L219"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L219"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L297"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L297"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L294"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L294"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L243"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L243"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1997"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L1997"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L507"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L507"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L888"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L888"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L339"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L339"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L186"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L186"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1007"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1007"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L7829"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L8020"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L341"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1041"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2045"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L586"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Announcements.php#L105"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L219"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L297"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L294"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L243"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1997"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L507"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L888"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L339"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L186"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1007"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3518400%40tutor\u0026new=3518400%40tutor\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-24T16:17:05.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-12T17:18:06.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u003c= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via \u0027course\u0027 GET Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-6965",
        "datePublished": "2026-05-13T05:29:37.082Z",
        "dateReserved": "2026-04-24T16:01:40.686Z",
        "dateUpdated": "2026-05-13T10:20:41.926Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6080 (GCVE-0-2026-6080)

    Vulnerability from nvd – Published: 2026-04-17 03:36 – Updated: 2026-04-20 14:59
    VLAI
    Title
    Tutor LMS <= 3.9.8 - Authenticated (Admin+) SQL Injection via 'date' Parameter
    Summary
    The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb->prepare(). This makes it possible for authenticated attackers with Admin-level access and above to append additional SQL queries and extract sensitive information from the database.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Credits
    PRISM
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6080",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T14:30:59.779711Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-20T14:59:23.108Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "PRISM"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the \u0027date\u0027 parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb-\u003eprepare(). This makes it possible for authenticated attackers with Admin-level access and above to append additional SQL queries and extract sensitive information from the database."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T03:36:44.234Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6dd041ff-a0a3-4d1f-83e0-6ec2a978e9cf?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/classes/Instructors_List.php#L376"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Instructors_List.php#L376"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/views/pages/instructors.php#L38"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/views/pages/instructors.php#L38"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/classes/Instructors_List.php#L451"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Instructors_List.php#L451"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3505142/tutor/tags/3.9.9/classes/Instructors_List.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-10T15:07:56.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-16T15:15:35.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u003c= 3.9.8 - Authenticated (Admin+) SQL Injection via \u0027date\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-6080",
        "datePublished": "2026-04-17T03:36:44.234Z",
        "dateReserved": "2026-04-10T14:52:47.051Z",
        "dateUpdated": "2026-04-20T14:59:23.108Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5502 (GCVE-0-2026-5502)

    Vulnerability from nvd – Published: 2026-04-17 03:36 – Updated: 2026-04-17 14:28
    VLAI
    Title
    Tutor LMS <= 3.9.8 - Authenticated (Subscriber+) Arbitrary Course Content Manipulation via tutor_update_course_content_order
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutor_update_course_content_order() function. The function only validates the nonce (CSRF protection) but does not verify whether the user has permission to manage course content. The can_user_manage() authorization check only executes when the 'content_parent' parameter is present in the request. When this parameter is omitted, the function proceeds directly to save_course_content_order() which manipulates the wp_posts table without any authorization validation. This makes it possible for authenticated attackers with subscriber-level access and above to detach all lessons from any topic, move lessons between topics, and modify the menu_order of course content, effectively allowing them to disrupt the structure of any course on the site.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    momopon1415
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5502",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T14:27:27.845133Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-17T14:28:01.492Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "momopon1415"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutor_update_course_content_order() function. The function only validates the nonce (CSRF protection) but does not verify whether the user has permission to manage course content. The can_user_manage() authorization check only executes when the \u0027content_parent\u0027 parameter is present in the request. When this parameter is omitted, the function proceeds directly to save_course_content_order() which manipulates the wp_posts table without any authorization validation. This makes it possible for authenticated attackers with subscriber-level access and above to detach all lessons from any topic, move lessons between topics, and modify the menu_order of course content, effectively allowing them to disrupt the structure of any course on the site."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T03:36:45.463Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f32ae42d-dd1f-41d7-8ae4-ddec56d78ae6?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1700"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1789"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1789"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1700"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3505142/tutor/tags/3.9.9/classes/Course.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-03T16:04:07.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-16T15:10:34.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u003c= 3.9.8 - Authenticated (Subscriber+) Arbitrary Course Content Manipulation via tutor_update_course_content_order"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-5502",
        "datePublished": "2026-04-17T03:36:45.463Z",
        "dateReserved": "2026-04-03T15:48:58.659Z",
        "dateUpdated": "2026-04-17T14:28:01.492Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3371 (GCVE-0-2026-3371)

    Vulnerability from nvd – Published: 2026-04-11 01:25 – Updated: 2026-04-13 15:15
    VLAI
    Title
    Tutor LMS <= 3.9.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Course Content Modification
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler's `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    Hunter Jensen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3371",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-13T15:10:52.681017Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-13T15:15:07.829Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hunter Jensen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler\u0027s `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-11T01:25:01.083Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9cf0430-8577-449a-aefe-d7bf606fe2de?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1687"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1755"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L252"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Ftutor/tags/3.9.7\u0026new_path=%2Ftutor/tags/3.9.8"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-27T19:33:20.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-10T12:00:50.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u003c= 3.9.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Course Content Modification"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-3371",
        "datePublished": "2026-04-11T01:25:01.083Z",
        "dateReserved": "2026-02-27T22:04:08.540Z",
        "dateUpdated": "2026-04-13T15:15:07.829Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3358 (GCVE-0-2026-3358)

    Vulnerability from nvd – Published: 2026-04-11 01:24 – Updated: 2026-04-13 15:15
    VLAI
    Title
    Tutor LMS <= 3.9.7 - Missing Authorization to Authenticated (Subscriber+) Unauthorized Private Course Enrollment
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with Subscriber-level access or above to enroll in private courses by sending a crafted POST request with the target course ID. The enrollment record is created in the database and the private course title and enrollment status are exposed in the subscriber's dashboard, though WordPress core access control prevents the subscriber from viewing the actual course content (returns 404). Enrollment in private courses should be restricted to users with the `read_private_posts` capability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Mohammad Amin Hajian
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3358",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-13T15:09:07.243718Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-13T15:15:08.860Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mohammad Amin Hajian"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with Subscriber-level access or above to enroll in private courses by sending a crafted POST request with the target course ID. The enrollment record is created in the database and the private course title and enrollment status are exposed in the subscriber\u0027s dashboard, though WordPress core access control prevents the subscriber from viewing the actual course content (returns 404). Enrollment in private courses should be restricted to users with the `read_private_posts` capability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-11T01:24:56.945Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c173356-7228-4253-bb28-2c2e11af76fd?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2066"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L134"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2053"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2989"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Ftutor/tags/3.9.7\u0026new_path=%2Ftutor/tags/3.9.8"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/classes/Course.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-27T18:49:18.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-10T11:46:32.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u003c= 3.9.7 - Missing Authorization to Authenticated (Subscriber+) Unauthorized Private Course Enrollment"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-3358",
        "datePublished": "2026-04-11T01:24:56.945Z",
        "dateReserved": "2026-02-27T18:34:05.013Z",
        "dateUpdated": "2026-04-13T15:15:08.860Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3360 (GCVE-0-2026-3360)

    Vulnerability from nvd – Published: 2026-04-10 01:24 – Updated: 2026-04-10 17:05
    VLAI
    Title
    Tutor LMS <= 3.9.7 - Missing Authorization to Unauthenticated Arbitrary Billing Profile Overwrite via 'order_id' Parameter
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()` function. The function accepts an attacker-controlled `order_id` parameter and uses it to look up order data, then writes billing fields to the order owner's profile (`$order_data->user_id`) without verifying the requester's identity or ownership. Because the Tutor nonce (`_tutor_nonce`) is exposed on public frontend pages, this makes it possible for unauthenticated attackers to overwrite the billing profile (name, email, phone, address) of any user who has an incomplete manual order, by sending a crafted POST request with a guessed or enumerated `order_id`.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Supakiad S.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3360",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-10T17:05:29.061402Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-10T17:05:46.556Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Supakiad S."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()` function. The function accepts an attacker-controlled `order_id` parameter and uses it to look up order data, then writes billing fields to the order owner\u0027s profile (`$order_data-\u003euser_id`) without verifying the requester\u0027s identity or ownership. Because the Tutor nonce (`_tutor_nonce`) is exposed on public frontend pages, this makes it possible for unauthenticated attackers to overwrite the billing profile (name, email, phone, address) of any user who has an incomplete manual order, by sending a crafted POST request with a guessed or enumerated `order_id`."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-10T01:24:58.426Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f365519-dd0a-4f39-880d-7216ce2f7d1e?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Tutor.php#L563"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/CheckoutController.php#L108"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/CheckoutController.php#L1059"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/ecommerce/CheckoutController.php#L1059"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/ecommerce/CheckoutController.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-27T20:06:17.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-09T12:40:11.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u003c= 3.9.7 - Missing Authorization to Unauthenticated Arbitrary Billing Profile Overwrite via \u0027order_id\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-3360",
        "datePublished": "2026-04-10T01:24:58.426Z",
        "dateReserved": "2026-02-27T19:38:55.529Z",
        "dateUpdated": "2026-04-10T17:05:46.556Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-13673 (GCVE-0-2025-13673)

    Vulnerability from nvd – Published: 2026-02-28 07:25 – Updated: 2026-04-08 16:32
    VLAI
    Title
    Tutor LMS <= 3.9.6 - Unauthenticated SQL Injection via coupon_code
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This vulnerability was partially mitigated in versions 3.9.4 and 3.9.6.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Credits
    Supakiad S.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13673",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-02T15:30:14.379811Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-02T15:30:38.628Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Supakiad S."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the \u0027coupon_code\u0027 parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This vulnerability was partially mitigated in versions 3.9.4 and 3.9.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:32:19.793Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/007df869-dacb-4b0a-9c98-50586934cdab?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3469242/tutor"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-11-25T18:35:38.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-02-27T18:54:35.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u003c= 3.9.6 - Unauthenticated SQL Injection via coupon_code"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-13673",
        "datePublished": "2026-02-28T07:25:35.002Z",
        "dateReserved": "2025-11-25T18:00:47.434Z",
        "dateUpdated": "2026-04-08T16:32:19.793Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1375 (GCVE-0-2026-1375)

    Vulnerability from nvd – Published: 2026-02-03 07:31 – Updated: 2026-04-08 16:51
    VLAI
    Title
    Tutor LMS <= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    Athiwat Tiprasaharn Tharadol Suksamran
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1375",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-03T15:45:56.367297Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-03T15:46:05.937Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Athiwat Tiprasaharn"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Tharadol Suksamran"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:51:47.055Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e95b32b-c050-41eb-8fce-461257420eb6?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L289"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L437"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L463"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/classes/Course_List.php?contextall=1\u0026old=3339576\u0026old_path=%2Ftutor%2Ftrunk%2Fclasses%2FCourse_List.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-23T18:20:12.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-02-02T18:41:05.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u003c= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-1375",
        "datePublished": "2026-02-03T07:31:23.100Z",
        "dateReserved": "2026-01-23T18:04:32.011Z",
        "dateUpdated": "2026-04-08T16:51:47.055Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1371 (GCVE-0-2026-1371)

    Vulnerability from nvd – Published: 2026-02-03 07:31 – Updated: 2026-04-08 17:03
    VLAI
    Title
    Tutor LMS <= 3.9.5 - Authenticated (Subscriber+) Information Disclosure in Coupon Details via 'tutor_coupon_details' AJAX Action
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces but does not verify user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive coupon information including coupon codes, discount amounts, usage statistics, and course/bundle applications.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Credits
    Supakiad S.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1371",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-03T15:45:26.969407Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-03T15:45:34.642Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Supakiad S."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces but does not verify user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive coupon information including coupon codes, discount amounts, usage statistics, and course/bundle applications."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:03:21.310Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f5c5f64-a864-4ce1-9080-19f7c4418307?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/ecommerce/CouponController.php#L106"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/ecommerce/CouponController.php#L658"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/ecommerce/CouponController.php?contextall=1\u0026old=3422766\u0026old_path=%2Ftutor%2Ftrunk%2Fecommerce%2FCouponController.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-23T16:16:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-02-02T18:49:17.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u003c= 3.9.5 - Authenticated (Subscriber+) Information Disclosure in Coupon Details via \u0027tutor_coupon_details\u0027 AJAX Action"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-1371",
        "datePublished": "2026-02-03T07:31:23.720Z",
        "dateReserved": "2026-01-23T16:00:38.156Z",
        "dateUpdated": "2026-04-08T17:03:21.310Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-0548 (GCVE-0-2026-0548)

    Vulnerability from nvd – Published: 2026-01-20 14:26 – Updated: 2026-04-08 16:35
    VLAI
    Title
    Tutor LMS – eLearning and online course solution <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    M Indra Purnama
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-0548",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-20T14:53:15.549458Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-20T14:53:42.335Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "M Indra Purnama"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:35:25.884Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e475e02-494a-4ad0-a83c-d027c3a32989?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=/tutor/tags/3.9.4/classes/User.php\u0026new_path=/tutor/tags/3.9.5/classes/User.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-21T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2026-01-01T17:15:10.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-01-20T01:46:19.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u2013 eLearning and online course solution \u003c= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-0548",
        "datePublished": "2026-01-20T14:26:31.808Z",
        "dateReserved": "2026-01-01T16:58:14.820Z",
        "dateUpdated": "2026-04-08T16:35:25.884Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-13935 (GCVE-0-2025-13935)

    Vulnerability from nvd – Published: 2026-01-09 07:22 – Updated: 2026-04-08 17:02
    VLAI
    Title
    Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Course Completion
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. This makes it possible for authenticated attackers, with subscriber level access and above, to mark any course as completed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Supakiad S.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13935",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-09T18:10:36.671555Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-09T18:10:43.988Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Supakiad S."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the \u0027mark_course_complete\u0027 function. This makes it possible for authenticated attackers, with subscriber level access and above, to mark any course as completed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:02:31.130Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7b8b111a-9626-41f4-8a13-51f576af0257?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/classes/Course.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-19T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-12-02T22:38:12.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-01-08T18:44:27.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u2013 eLearning and online course solution \u003c= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Course Completion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-13935",
        "datePublished": "2026-01-09T07:22:11.913Z",
        "dateReserved": "2025-12-02T22:22:21.248Z",
        "dateUpdated": "2026-04-08T17:02:31.130Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-13934 (GCVE-0-2025-13934)

    Vulnerability from nvd – Published: 2026-01-09 07:22 – Updated: 2026-04-08 16:56
    VLAI
    Title
    Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Course Enrollment Bypass
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX handler. This makes it possible for authenticated attackers, with subscriber level access and above, to enroll themselves in any course without going through the proper purchase flow.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Supakiad S.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13934",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-09T19:06:22.553353Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-09T19:11:47.452Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Supakiad S."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX handler. This makes it possible for authenticated attackers, with subscriber level access and above, to enroll themselves in any course without going through the proper purchase flow."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:56:00.874Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5de212c9-5c2e-4713-b1ce-022dd84520c3?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/classes/Course.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-19T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-12-02T22:38:03.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-01-08T18:43:50.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u2013 eLearning and online course solution \u003c= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Course Enrollment Bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-13934",
        "datePublished": "2026-01-09T07:22:11.542Z",
        "dateReserved": "2025-12-02T22:22:20.669Z",
        "dateUpdated": "2026-04-08T16:56:00.874Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-13628 (GCVE-0-2025-13628)

    Vulnerability from nvd – Published: 2026-01-09 07:22 – Updated: 2026-04-08 16:49
    VLAI
    Title
    Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon Modification
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Supakiad S.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13628",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-09T19:06:39.210342Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-09T19:11:27.064Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Supakiad S."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the \u0027bulk_action_handler\u0027 and \u0027coupon_permanent_delete\u0027 functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:49:55.422Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46f71f7b-7326-47b6-a23a-68a40f5bb56b?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/ecommerce/CouponController.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-11-15T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-11-24T21:55:21.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-01-08T19:03:12.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u2013 eLearning and online course solution \u003c= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon Modification"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-13628",
        "datePublished": "2026-01-09T07:22:10.781Z",
        "dateReserved": "2025-11-24T21:38:45.491Z",
        "dateUpdated": "2026-04-08T16:49:55.422Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13443 (GCVE-0-2026-13443)

    Vulnerability from cvelistv5 – Published: 2026-07-01 03:43 – Updated: 2026-07-01 10:32
    VLAI
    Title
    Tutor LMS <= 3.9.13 - Authenticated (Author+) Stored Cross-Site Scripting via Lesson Attachment Title
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Lesson Attachment Title in all versions up to, and including, 3.9.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    skyv3il
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13443",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T10:27:48.827451Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T10:32:06.393Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.13",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "skyv3il"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Lesson Attachment Title in all versions up to, and including, 3.9.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T03:43:35.748Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7483762c-5356-4844-90a9-511d9ec48625?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.13/templates/global/attachments.php#L34"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.13/classes/Utils.php#L1720"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.13/classes/Utils.php#L1688"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/templates/global/attachments.php#L34"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L1720"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L1688"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3590029%40tutor\u0026new=3590029%40tutor\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-26T16:52:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-30T14:59:54.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u003c= 3.9.13 - Authenticated (Author+) Stored Cross-Site Scripting via Lesson Attachment Title"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-13443",
        "datePublished": "2026-07-01T03:43:35.748Z",
        "dateReserved": "2026-06-26T16:35:32.693Z",
        "dateUpdated": "2026-07-01T10:32:06.393Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10736 (GCVE-0-2026-10736)

    Vulnerability from cvelistv5 – Published: 2026-06-18 05:34 – Updated: 2026-06-18 15:52
    VLAI
    Title
    Tutor LMS <= 3.9.11 - Authenticated (Administrator+) SQL Injection via 'data' Parameter
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 3.9.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Credits
    Miguel Angel Mendez Z
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10736",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-18T15:51:49.093996Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-18T15:52:02.866Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.11",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Miguel Angel Mendez Z"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the \u0027data\u0027 parameter in all versions up to, and including, 3.9.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-18T05:34:24.933Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e193bb9-bb16-4a77-877b-fa0ab29a6c74?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.11/models/WithdrawModel.php#L118"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.11/models/WithdrawModel.php#L169"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.11/views/pages/withdraw_requests.php#L29"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.11/classes/Input.php#L78"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/models/WithdrawModel.php#L118"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/models/WithdrawModel.php#L169"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/views/pages/withdraw_requests.php#L29"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/classes/Input.php#L78"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3565513/tutor/tags/3.9.12/models/WithdrawModel.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-03T13:13:27.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-17T17:23:24.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u003c= 3.9.11 - Authenticated (Administrator+) SQL Injection via \u0027data\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-10736",
        "datePublished": "2026-06-18T05:34:24.933Z",
        "dateReserved": "2026-06-03T12:58:16.370Z",
        "dateUpdated": "2026-06-18T15:52:02.866Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6965 (GCVE-0-2026-6965)

    Vulnerability from cvelistv5 – Published: 2026-05-13 05:29 – Updated: 2026-05-13 10:20
    VLAI
    Title
    Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin's sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor's course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q&A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    References
    URL Tags
    https://www.wordfence.com/threat-intel/vulnerabil…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/browser/tutor/…
    https://plugins.trac.wordpress.org/changeset?sfp_…
    Impacted products
    Credits
    molten bit
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6965",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T10:05:51.578265Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T10:20:41.926Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "molten bit"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin\u0027s sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor\u0027s course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q\u0026A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-13T05:29:37.082Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/55924ea3-373c-4297-a958-5670def1f6c0?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L7829"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L7829"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L8020"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L8020"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L341"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L341"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1041"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1041"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2045"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L2045"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L586"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L586"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Announcements.php#L105"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Announcements.php#L105"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L219"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L219"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L297"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L297"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L294"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L294"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L243"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L243"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1997"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L1997"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L507"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L507"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L888"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L888"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L339"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L339"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L186"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L186"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1007"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1007"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L7829"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L8020"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L341"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1041"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2045"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L586"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Announcements.php#L105"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L219"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L297"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L294"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L243"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1997"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L507"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L888"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L339"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L186"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1007"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3518400%40tutor\u0026new=3518400%40tutor\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-24T16:17:05.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-12T17:18:06.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u003c= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via \u0027course\u0027 GET Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-6965",
        "datePublished": "2026-05-13T05:29:37.082Z",
        "dateReserved": "2026-04-24T16:01:40.686Z",
        "dateUpdated": "2026-05-13T10:20:41.926Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5502 (GCVE-0-2026-5502)

    Vulnerability from cvelistv5 – Published: 2026-04-17 03:36 – Updated: 2026-04-17 14:28
    VLAI
    Title
    Tutor LMS <= 3.9.8 - Authenticated (Subscriber+) Arbitrary Course Content Manipulation via tutor_update_course_content_order
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutor_update_course_content_order() function. The function only validates the nonce (CSRF protection) but does not verify whether the user has permission to manage course content. The can_user_manage() authorization check only executes when the 'content_parent' parameter is present in the request. When this parameter is omitted, the function proceeds directly to save_course_content_order() which manipulates the wp_posts table without any authorization validation. This makes it possible for authenticated attackers with subscriber-level access and above to detach all lessons from any topic, move lessons between topics, and modify the menu_order of course content, effectively allowing them to disrupt the structure of any course on the site.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    momopon1415
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5502",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T14:27:27.845133Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-17T14:28:01.492Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "momopon1415"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutor_update_course_content_order() function. The function only validates the nonce (CSRF protection) but does not verify whether the user has permission to manage course content. The can_user_manage() authorization check only executes when the \u0027content_parent\u0027 parameter is present in the request. When this parameter is omitted, the function proceeds directly to save_course_content_order() which manipulates the wp_posts table without any authorization validation. This makes it possible for authenticated attackers with subscriber-level access and above to detach all lessons from any topic, move lessons between topics, and modify the menu_order of course content, effectively allowing them to disrupt the structure of any course on the site."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T03:36:45.463Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f32ae42d-dd1f-41d7-8ae4-ddec56d78ae6?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1700"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1789"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1789"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1700"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3505142/tutor/tags/3.9.9/classes/Course.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-03T16:04:07.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-16T15:10:34.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u003c= 3.9.8 - Authenticated (Subscriber+) Arbitrary Course Content Manipulation via tutor_update_course_content_order"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-5502",
        "datePublished": "2026-04-17T03:36:45.463Z",
        "dateReserved": "2026-04-03T15:48:58.659Z",
        "dateUpdated": "2026-04-17T14:28:01.492Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6080 (GCVE-0-2026-6080)

    Vulnerability from cvelistv5 – Published: 2026-04-17 03:36 – Updated: 2026-04-20 14:59
    VLAI
    Title
    Tutor LMS <= 3.9.8 - Authenticated (Admin+) SQL Injection via 'date' Parameter
    Summary
    The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb->prepare(). This makes it possible for authenticated attackers with Admin-level access and above to append additional SQL queries and extract sensitive information from the database.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Credits
    PRISM
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6080",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T14:30:59.779711Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-20T14:59:23.108Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "PRISM"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the \u0027date\u0027 parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb-\u003eprepare(). This makes it possible for authenticated attackers with Admin-level access and above to append additional SQL queries and extract sensitive information from the database."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T03:36:44.234Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6dd041ff-a0a3-4d1f-83e0-6ec2a978e9cf?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/classes/Instructors_List.php#L376"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Instructors_List.php#L376"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/views/pages/instructors.php#L38"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/views/pages/instructors.php#L38"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/classes/Instructors_List.php#L451"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Instructors_List.php#L451"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3505142/tutor/tags/3.9.9/classes/Instructors_List.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-10T15:07:56.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-16T15:15:35.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u003c= 3.9.8 - Authenticated (Admin+) SQL Injection via \u0027date\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-6080",
        "datePublished": "2026-04-17T03:36:44.234Z",
        "dateReserved": "2026-04-10T14:52:47.051Z",
        "dateUpdated": "2026-04-20T14:59:23.108Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3371 (GCVE-0-2026-3371)

    Vulnerability from cvelistv5 – Published: 2026-04-11 01:25 – Updated: 2026-04-13 15:15
    VLAI
    Title
    Tutor LMS <= 3.9.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Course Content Modification
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler's `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    Hunter Jensen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3371",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-13T15:10:52.681017Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-13T15:15:07.829Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hunter Jensen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler\u0027s `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-11T01:25:01.083Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9cf0430-8577-449a-aefe-d7bf606fe2de?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1687"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1755"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L252"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Ftutor/tags/3.9.7\u0026new_path=%2Ftutor/tags/3.9.8"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-27T19:33:20.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-10T12:00:50.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u003c= 3.9.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Course Content Modification"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-3371",
        "datePublished": "2026-04-11T01:25:01.083Z",
        "dateReserved": "2026-02-27T22:04:08.540Z",
        "dateUpdated": "2026-04-13T15:15:07.829Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3358 (GCVE-0-2026-3358)

    Vulnerability from cvelistv5 – Published: 2026-04-11 01:24 – Updated: 2026-04-13 15:15
    VLAI
    Title
    Tutor LMS <= 3.9.7 - Missing Authorization to Authenticated (Subscriber+) Unauthorized Private Course Enrollment
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with Subscriber-level access or above to enroll in private courses by sending a crafted POST request with the target course ID. The enrollment record is created in the database and the private course title and enrollment status are exposed in the subscriber's dashboard, though WordPress core access control prevents the subscriber from viewing the actual course content (returns 404). Enrollment in private courses should be restricted to users with the `read_private_posts` capability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Mohammad Amin Hajian
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3358",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-13T15:09:07.243718Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-13T15:15:08.860Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Mohammad Amin Hajian"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with Subscriber-level access or above to enroll in private courses by sending a crafted POST request with the target course ID. The enrollment record is created in the database and the private course title and enrollment status are exposed in the subscriber\u0027s dashboard, though WordPress core access control prevents the subscriber from viewing the actual course content (returns 404). Enrollment in private courses should be restricted to users with the `read_private_posts` capability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-11T01:24:56.945Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c173356-7228-4253-bb28-2c2e11af76fd?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2066"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L134"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2053"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2989"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Ftutor/tags/3.9.7\u0026new_path=%2Ftutor/tags/3.9.8"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/classes/Course.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-27T18:49:18.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-10T11:46:32.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u003c= 3.9.7 - Missing Authorization to Authenticated (Subscriber+) Unauthorized Private Course Enrollment"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-3358",
        "datePublished": "2026-04-11T01:24:56.945Z",
        "dateReserved": "2026-02-27T18:34:05.013Z",
        "dateUpdated": "2026-04-13T15:15:08.860Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-3360 (GCVE-0-2026-3360)

    Vulnerability from cvelistv5 – Published: 2026-04-10 01:24 – Updated: 2026-04-10 17:05
    VLAI
    Title
    Tutor LMS <= 3.9.7 - Missing Authorization to Unauthenticated Arbitrary Billing Profile Overwrite via 'order_id' Parameter
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()` function. The function accepts an attacker-controlled `order_id` parameter and uses it to look up order data, then writes billing fields to the order owner's profile (`$order_data->user_id`) without verifying the requester's identity or ownership. Because the Tutor nonce (`_tutor_nonce`) is exposed on public frontend pages, this makes it possible for unauthenticated attackers to overwrite the billing profile (name, email, phone, address) of any user who has an incomplete manual order, by sending a crafted POST request with a guessed or enumerated `order_id`.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Supakiad S.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-3360",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-10T17:05:29.061402Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-10T17:05:46.556Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Supakiad S."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()` function. The function accepts an attacker-controlled `order_id` parameter and uses it to look up order data, then writes billing fields to the order owner\u0027s profile (`$order_data-\u003euser_id`) without verifying the requester\u0027s identity or ownership. Because the Tutor nonce (`_tutor_nonce`) is exposed on public frontend pages, this makes it possible for unauthenticated attackers to overwrite the billing profile (name, email, phone, address) of any user who has an incomplete manual order, by sending a crafted POST request with a guessed or enumerated `order_id`."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-10T01:24:58.426Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f365519-dd0a-4f39-880d-7216ce2f7d1e?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Tutor.php#L563"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/CheckoutController.php#L108"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/CheckoutController.php#L1059"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/ecommerce/CheckoutController.php#L1059"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/ecommerce/CheckoutController.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-27T20:06:17.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-09T12:40:11.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u003c= 3.9.7 - Missing Authorization to Unauthenticated Arbitrary Billing Profile Overwrite via \u0027order_id\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-3360",
        "datePublished": "2026-04-10T01:24:58.426Z",
        "dateReserved": "2026-02-27T19:38:55.529Z",
        "dateUpdated": "2026-04-10T17:05:46.556Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-13673 (GCVE-0-2025-13673)

    Vulnerability from cvelistv5 – Published: 2026-02-28 07:25 – Updated: 2026-04-08 16:32
    VLAI
    Title
    Tutor LMS <= 3.9.6 - Unauthenticated SQL Injection via coupon_code
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This vulnerability was partially mitigated in versions 3.9.4 and 3.9.6.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Credits
    Supakiad S.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13673",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-02T15:30:14.379811Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-02T15:30:38.628Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Supakiad S."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the \u0027coupon_code\u0027 parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This vulnerability was partially mitigated in versions 3.9.4 and 3.9.6."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:32:19.793Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/007df869-dacb-4b0a-9c98-50586934cdab?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3469242/tutor"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-11-25T18:35:38.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-02-27T18:54:35.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u003c= 3.9.6 - Unauthenticated SQL Injection via coupon_code"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-13673",
        "datePublished": "2026-02-28T07:25:35.002Z",
        "dateReserved": "2025-11-25T18:00:47.434Z",
        "dateUpdated": "2026-04-08T16:32:19.793Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1371 (GCVE-0-2026-1371)

    Vulnerability from cvelistv5 – Published: 2026-02-03 07:31 – Updated: 2026-04-08 17:03
    VLAI
    Title
    Tutor LMS <= 3.9.5 - Authenticated (Subscriber+) Information Disclosure in Coupon Details via 'tutor_coupon_details' AJAX Action
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces but does not verify user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive coupon information including coupon codes, discount amounts, usage statistics, and course/bundle applications.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Credits
    Supakiad S.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1371",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-03T15:45:26.969407Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-03T15:45:34.642Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Supakiad S."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces but does not verify user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive coupon information including coupon codes, discount amounts, usage statistics, and course/bundle applications."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:03:21.310Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f5c5f64-a864-4ce1-9080-19f7c4418307?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/ecommerce/CouponController.php#L106"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/ecommerce/CouponController.php#L658"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/ecommerce/CouponController.php?contextall=1\u0026old=3422766\u0026old_path=%2Ftutor%2Ftrunk%2Fecommerce%2FCouponController.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-23T16:16:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-02-02T18:49:17.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u003c= 3.9.5 - Authenticated (Subscriber+) Information Disclosure in Coupon Details via \u0027tutor_coupon_details\u0027 AJAX Action"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-1371",
        "datePublished": "2026-02-03T07:31:23.720Z",
        "dateReserved": "2026-01-23T16:00:38.156Z",
        "dateUpdated": "2026-04-08T17:03:21.310Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1375 (GCVE-0-2026-1375)

    Vulnerability from cvelistv5 – Published: 2026-02-03 07:31 – Updated: 2026-04-08 16:51
    VLAI
    Title
    Tutor LMS <= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    Athiwat Tiprasaharn Tharadol Suksamran
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1375",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-03T15:45:56.367297Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-03T15:46:05.937Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Athiwat Tiprasaharn"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Tharadol Suksamran"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:51:47.055Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e95b32b-c050-41eb-8fce-461257420eb6?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L289"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L437"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L463"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/classes/Course_List.php?contextall=1\u0026old=3339576\u0026old_path=%2Ftutor%2Ftrunk%2Fclasses%2FCourse_List.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-23T18:20:12.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-02-02T18:41:05.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u003c= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-1375",
        "datePublished": "2026-02-03T07:31:23.100Z",
        "dateReserved": "2026-01-23T18:04:32.011Z",
        "dateUpdated": "2026-04-08T16:51:47.055Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-0548 (GCVE-0-2026-0548)

    Vulnerability from cvelistv5 – Published: 2026-01-20 14:26 – Updated: 2026-04-08 16:35
    VLAI
    Title
    Tutor LMS – eLearning and online course solution <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    M Indra Purnama
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-0548",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-20T14:53:15.549458Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-20T14:53:42.335Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "M Indra Purnama"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:35:25.884Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e475e02-494a-4ad0-a83c-d027c3a32989?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=/tutor/tags/3.9.4/classes/User.php\u0026new_path=/tutor/tags/3.9.5/classes/User.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-21T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2026-01-01T17:15:10.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-01-20T01:46:19.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u2013 eLearning and online course solution \u003c= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-0548",
        "datePublished": "2026-01-20T14:26:31.808Z",
        "dateReserved": "2026-01-01T16:58:14.820Z",
        "dateUpdated": "2026-04-08T16:35:25.884Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-13935 (GCVE-0-2025-13935)

    Vulnerability from cvelistv5 – Published: 2026-01-09 07:22 – Updated: 2026-04-08 17:02
    VLAI
    Title
    Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Course Completion
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. This makes it possible for authenticated attackers, with subscriber level access and above, to mark any course as completed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Supakiad S.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13935",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-09T18:10:36.671555Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-09T18:10:43.988Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Supakiad S."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the \u0027mark_course_complete\u0027 function. This makes it possible for authenticated attackers, with subscriber level access and above, to mark any course as completed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:02:31.130Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7b8b111a-9626-41f4-8a13-51f576af0257?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/classes/Course.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-19T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-12-02T22:38:12.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-01-08T18:44:27.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u2013 eLearning and online course solution \u003c= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Course Completion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-13935",
        "datePublished": "2026-01-09T07:22:11.913Z",
        "dateReserved": "2025-12-02T22:22:21.248Z",
        "dateUpdated": "2026-04-08T17:02:31.130Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-13934 (GCVE-0-2025-13934)

    Vulnerability from cvelistv5 – Published: 2026-01-09 07:22 – Updated: 2026-04-08 16:56
    VLAI
    Title
    Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Course Enrollment Bypass
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX handler. This makes it possible for authenticated attackers, with subscriber level access and above, to enroll themselves in any course without going through the proper purchase flow.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Supakiad S.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13934",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-09T19:06:22.553353Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-09T19:11:47.452Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Supakiad S."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX handler. This makes it possible for authenticated attackers, with subscriber level access and above, to enroll themselves in any course without going through the proper purchase flow."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:56:00.874Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5de212c9-5c2e-4713-b1ce-022dd84520c3?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/classes/Course.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-12-19T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-12-02T22:38:03.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-01-08T18:43:50.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u2013 eLearning and online course solution \u003c= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Course Enrollment Bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-13934",
        "datePublished": "2026-01-09T07:22:11.542Z",
        "dateReserved": "2025-12-02T22:22:20.669Z",
        "dateUpdated": "2026-04-08T16:56:00.874Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-13628 (GCVE-0-2025-13628)

    Vulnerability from cvelistv5 – Published: 2026-01-09 07:22 – Updated: 2026-04-08 16:49
    VLAI
    Title
    Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon Modification
    Summary
    The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Supakiad S.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-13628",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-09T19:06:39.210342Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-01-09T19:11:27.064Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Tutor LMS \u2013 eLearning and online course solution",
              "vendor": "themeum",
              "versions": [
                {
                  "lessThanOrEqual": "3.9.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Supakiad S."
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the \u0027bulk_action_handler\u0027 and \u0027coupon_permanent_delete\u0027 functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:49:55.422Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46f71f7b-7326-47b6-a23a-68a40f5bb56b?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/ecommerce/CouponController.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2025-11-15T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2025-11-24T21:55:21.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-01-08T19:03:12.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Tutor LMS \u2013 eLearning and online course solution \u003c= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon Modification"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2025-13628",
        "datePublished": "2026-01-09T07:22:10.781Z",
        "dateReserved": "2025-11-24T21:38:45.491Z",
        "dateUpdated": "2026-04-08T16:49:55.422Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }