← back to popular plugins
wordfence / plugin · tutor

Tutor LMS – eLearning and online course solution

tutor
total installs
100,000
total vulns
23
critical
0
high
3
medium
20
low
0
latest vuln
patched
23
unpatched
0
avg time to patch
vulnerabilities (23)
Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter
medium ✓ patched
cve id CVE-2026-6965 ↗
cvss score 5.3
cwe CWE-639: Authorization Bypass Through User-Controlled Key
published May 12, 2026
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin's sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor's course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q&A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content.
Tutor LMS – eLearning and online course solution <= 3.9.7 - Missing Authorization
medium ✓ patched
cve id CVE-2026-40743 ↗
cvss score 5.3
cwe CWE-862: Missing Authorization
published Apr 20, 2026
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.9.7. This makes it possible for unauthenticated attackers to perform an unauthorized action.
Tutor LMS <= 3.9.8 - Authenticated (Admin+) SQL Injection via 'date' Parameter
medium ✓ patched
cve id CVE-2026-6080 ↗
cvss score 6.5
cwe CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
published Apr 16, 2026
The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb->prepare(). This makes it possible for authenticated attackers with Admin-level access and above to append additional SQL queries and extract sensitive information from the database.
Tutor LMS <= 3.9.8 - Authenticated (Subscriber+) Arbitrary Course Content Manipulation via tutor_update_course_content_order
medium ✓ patched
cve id CVE-2026-5502 ↗
cvss score 5.3
cwe CWE-862: Missing Authorization
published Apr 16, 2026
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutor_update_course_content_order() function. The function only validates the nonce (CSRF protection) but does not verify whether the user has permission to manage course content. The can_user_manage() authorization check only executes when the 'content_parent' parameter is present in the request. When this parameter is omitted, the function proceeds directly to save_course_content_order() which manipulates the wp_posts table without any authorization validation. This makes it possible for authenticated attackers with subscriber-level access and above to detach all lessons from any topic, move lessons between topics, and modify the menu_order of course content, effectively allowing them to disrupt the structure of any course on the site.
Tutor LMS <= 3.9.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Course Content Modification
medium ✓ patched
cve id CVE-2026-3371 ↗
cvss score 4.3
cwe CWE-639: Authorization Bypass Through User-Controlled Key
published Apr 10, 2026
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler's `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs.
Tutor LMS <= 3.9.7 - Missing Authorization to Authenticated (Subscriber+) Unauthorized Private Course Enrollment
medium ✓ patched
cve id CVE-2026-3358 ↗
cvss score 5.4
cwe CWE-862: Missing Authorization
published Apr 10, 2026
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with Subscriber-level access or above to enroll in private courses by sending a crafted POST request with the target course ID. The enrollment record is created in the database and the private course title and enrollment status are exposed in the subscriber's dashboard, though WordPress core access control prevents the subscriber from viewing the actual course content (returns 404). Enrollment in private courses should be restricted to users with the `read_private_posts` capability.
Tutor LMS <= 3.9.7 - Missing Authorization to Unauthenticated Arbitrary Billing Profile Overwrite via 'order_id' Parameter
high ✓ patched
cve id CVE-2026-3360 ↗
cvss score 7.5
cwe CWE-862: Missing Authorization
published Apr 9, 2026
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()` function. The function accepts an attacker-controlled `order_id` parameter and uses it to look up order data, then writes billing fields to the order owner's profile (`$order_data->user_id`) without verifying the requester's identity or ownership. Because the Tutor nonce (`_tutor_nonce`) is exposed on public frontend pages, this makes it possible for unauthenticated attackers to overwrite the billing profile (name, email, phone, address) of any user who has an incomplete manual order, by sending a crafted POST request with a guessed or enumerated `order_id`.
Tutor LMS – eLearning and online course solution <= 3.9.4 - Authenticated (Subscriber+) Insecure Direct Object Reference
medium ✓ patched
cve id CVE-2025-32223 ↗
cvss score 4.3
cwe CWE-639: Authorization Bypass Through User-Controlled Key
published Mar 16, 2026
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.4 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform unauthorized actions.
Tutor LMS <= 3.9.7 - Missing Authorization
medium ✓ patched
cve id CVE-2026-40740 ↗
cvss score 4.3
cwe CWE-862: Missing Authorization
published Mar 15, 2026
The Tutor LMS plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.9.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.
Tutor LMS <= 3.9.6 - Unauthenticated SQL Injection via coupon_code
high ✓ patched
cve id CVE-2025-13673 ↗
cvss score 7.5
cwe CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
published Feb 27, 2026
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This vulnerability was partially mitigated in versions 3.9.4 and 3.9.6.
Tutor LMS – eLearning and online course solution <= 3.9.5 - Missing Authorization
medium ✓ patched
cve id CVE-2026-23799 ↗
cvss score 4.3
cwe CWE-862: Missing Authorization
published Feb 25, 2026
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.9.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.
Tutor LMS <= 3.9.5 - Authenticated (Subscriber+) Information Disclosure in Coupon Details via 'tutor_coupon_details' AJAX Action
medium ✓ patched
cve id CVE-2026-1371 ↗
cvss score 5.3
cwe CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
published Feb 2, 2026
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces but does not verify user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive coupon information including coupon codes, discount amounts, usage statistics, and course/bundle applications.
Tutor LMS <= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion
high ✓ patched
cve id CVE-2026-1375 ↗
cvss score 8.1
cwe CWE-639: Authorization Bypass Through User-Controlled Key
published Feb 2, 2026
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests.
Tutor LMS – eLearning and online course solution <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion
medium ✓ patched
cve id CVE-2026-0548 ↗
cvss score 5.4
cwe CWE-862: Missing Authorization
published Jan 20, 2026
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site.
Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon Modification
medium ✓ patched
cve id CVE-2025-13628 ↗
cvss score 4.3
cwe CWE-862: Missing Authorization
published Jan 8, 2026
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons.
Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Course Completion
medium ✓ patched
cve id CVE-2025-13935 ↗
cvss score 4.3
cwe CWE-862: Missing Authorization
published Jan 8, 2026
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. This makes it possible for authenticated attackers, with subscriber level access and above, to mark any course as completed.
Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Course Enrollment Bypass
medium ✓ patched
cve id CVE-2025-13934 ↗
cvss score 4.3
cwe CWE-862: Missing Authorization
published Jan 8, 2026
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX handler. This makes it possible for authenticated attackers, with subscriber level access and above, to enroll themselves in any course without going through the proper purchase flow.
Tutor LMS <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via tutor_order_details
medium ✓ patched
cve id CVE-2025-13679 ↗
cvss score 6.5
cwe CWE-862: Missing Authorization
published Jan 7, 2026
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address.
Tutor LMS <= 3.9.4 - Authenticated (Instructor+) Insecure Direct Object Reference
medium ✓ patched
cve id CVE-2025-47555 ↗
cvss score 4.3
cwe CWE-639: Authorization Bypass Through User-Controlled Key
published Jan 2, 2026
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.4 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Custom-level access and above, to perform an unauthorized action.
Tutor LMS <= 3.8.3 - Missing Authorization to Sensitive Information Exposure
medium ✓ patched
cve id CVE-2025-6680 ↗
cvss score 4.3
cwe CWE-284: Improper Access Control
published Oct 24, 2025
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.8.3. This makes it possible for authenticated attackers, with tutor-level access and above, to view assignments for courses they don't teach which may contain sensitive information.
Tutor LMS – eLearning and online course solution <= 3.8.3 - Missing Authorization to Unauthenticated Payment Status Update
medium ✓ patched
cve id CVE-2025-11564 ↗
cvss score 5.3
cwe CWE-862: Missing Authorization
published Oct 24, 2025
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check while verifying webhook signatures on the "verifyAndCreateOrderData" function in all versions up to, and including, 3.8.3. This makes it possible for unauthenticated attackers to bypass payment verification and mark orders as paid by submitting forged webhook requests with `payment_type` set to 'recurring'.
Tutor LMS <= 3.7.4 - Authenticated (Administrator+) SQL Injection
medium ✓ patched
cve id CVE-2025-58993 ↗
cvss score 4.9
cwe CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
published Sep 9, 2025
The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.7.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Tutor LMS <= 3.4.0 - Authenticated (Subscriber+) HTML Injection
medium ✓ patched
cve id CVE-2025-32230 ↗
cvss score 4.3
cwe CWE-20: Improper Input Validation
published Apr 7, 2025
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 3.4.0. This is due to the plugin not properly restricting HTML content from subscribers. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject HTML where they should not be authorized to.