Tutor_lms - Vulncode-DB

Note:

This project will be discontinued after December 13, 2021. [more]

Product:
Tutor_lms
(Themeum)

Repositories	Unknown: This might be proprietary software.
#Vulnerabilities	45

Date	Id	Summary	Products	Score	Patch	Annotated
2024-07-20	CVE-2024-37947	Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themeum Tutor LMS allows Stored XSS.This issue affects Tutor LMS: from n/a through 2.7.2.	Tutor_lms	4.8
2024-05-16	CVE-2024-4279	The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutor_course_delete' function due to missing validation on a user controlled key. This can allow authenticated attackers, with Instructor-level permissions and above, to delete any course.	Tutor_lms	6.5
2024-05-16	CVE-2024-4318	The Tutor LMS plugin for WordPress is vulnerable to time-based SQL Injection via the ‘question_id’ parameter in versions up to, and including, 2.7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Instructor-level permissions and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.	Tutor_lms	6.5
2024-05-16	CVE-2024-4223	The Tutor LMS plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to add, modify, or delete data.	Tutor_lms	N/A
2024-11-21	CVE-2024-10393	The Tutor LMS plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 2.7.6. This is due to a missing check for the 'users_can_register' option in the 'register_instructor' function. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled.	Tutor_lms	N/A
2024-11-21	CVE-2024-10400	The Tutor LMS plugin for WordPress is vulnerable to SQL Injection via the ‘rating_filter’ parameter in all versions up to, and including, 2.7.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.	Tutor_lms	N/A
2024-08-12	CVE-2024-43231	Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themeum Tutor LMS allows Stored XSS.This issue affects Tutor LMS: from n/a through 2.7.3.	Tutor_lms	5.4
2024-08-18	CVE-2024-43282	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themeum Tutor LMS.This issue affects Tutor LMS: from n/a through 2.7.2.	Tutor_lms	7.2
2024-05-16	CVE-2024-4222	The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on multiple functions in all versions up to, and including, 2.7.0. This makes it possible for unauthenticated attackers to add, modify, or delete user meta and plugin options.	Tutor_lms	8.2
2024-05-16	CVE-2024-4352	The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data due to a missing capability check on the 'get_calendar_materials' function. The plugin is also vulnerable to SQL Injection via the ‘year’ parameter of that function due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level permissions...	Tutor_lms	N/A