cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-10400,https://securityvulnerability.io/vulnerability/CVE-2024-10400,SQL Injection Vulnerability in Tutor LMS Plugin for WordPress Could Leak Sensitive Data,"The Tutor LMS plugin for WordPress is vulnerable to an SQL injection attack through the 'rating_filter' parameter in all versions up to and including 2.7.6. This vulnerability arises from inadequate escaping of user-supplied parameters, allowing unauthenticated attackers to inject additional SQL queries. By exploiting this weakness, adversaries can manipulate existing SQL queries, potentially exposing sensitive information stored in the database and compromising the security of the application.",Wordpress,Tutor Lms – Elearning And Online Course Solution,7.5,HIGH,0.0006000000284984708,false,,false,false,true,true,false,false,2024-11-21T07:35:36.980Z,611
CVE-2024-10393,https://securityvulnerability.io/vulnerability/CVE-2024-10393,Unauthenticated Attackers Can Bypass User Registration in Tutor LMS Plugin for WordPress,"The Tutor LMS plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 2.7.6. This is due to a missing check for the 'users_can_register' option in the 'register_instructor' function. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled.",Wordpress,Tutor Lms – Elearning And Online Course Solution,5.3,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-11-21T06:49:54.320Z,0
CVE-2024-10897,https://securityvulnerability.io/vulnerability/CVE-2024-10897,Unauthorized Plugin Installation in Tutor LMS Elementor Addons Plugin Could Lead to Security Risks,"The Tutor LMS Elementor Addons plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the install_etlms_dependency_plugin() function in all versions up to, and including, 2.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install Elementor or Tutor LMS. Please note the impact of this issue is incredibly limited due to the fact that these two plugins will likely already be installed as a dependency of the plugin.",Wordpress,Tutor Lms Elementor Addons,4.3,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-11-15T04:29:04.948Z,0
CVE-2023-2919,https://securityvulnerability.io/vulnerability/CVE-2023-2919,Tutor LMS <= 2.7.4 - Cross-Site Request Forgery via 'addon_enable_disable',"The Tutor LMS plugin for WordPress has a vulnerability that allows Cross-Site Request Forgery due to improper nonce validation within the 'addon_enable_disable' functionality. This issue affects versions up to and including 2.7.4 and permits unauthenticated attackers to alter addon states by tricking a site administrator into unintentionally performing a specific action, such as clicking on a malicious link. As a result, critical functions within the plugin could be maliciously manipulated without proper authorization.",Wordpress,Tutor Lms – Elearning And Online Course Solution,4.3,MEDIUM,0.0005200000014156103,false,,false,false,false,,false,false,2024-09-10T09:30:19.274Z,0
CVE-2024-5784,https://securityvulnerability.io/vulnerability/CVE-2024-5784,Unauthorized Access to Administrative Actions on Tutor LMS Pro Plugin for WordPress,"The Tutor LMS  Pro plugin for WordPress is vulnerable to unauthorized administrative actions execution due to a missing capability checks on multiple functions like treport_quiz_atttempt_delete and tutor_gc_class_action in all versions up to, and including, 2.7.2. This makes it possible for authenticated attackers, with the subscriber-level access and above, to preform an administrative actions on the site, like comments, posts or users deletion, viewing notifications, etc.",Wordpress,Tutor Lms Pro,6.3,MEDIUM,0.0004400000034365803,false,,false,false,false,,false,false,2024-08-30T03:24:16.470Z,0
CVE-2024-5576,https://securityvulnerability.io/vulnerability/CVE-2024-5576,Arbitrary Web Script Injection Vulnerability in The Tutor LMS Elementor Addons Plugin,"The Tutor LMS Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'course_carousel_skin' attribute within the plugin's Course Carousel widget in all versions up to, and including, 2.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,Tutor Lms Elementor Addons,5.4,MEDIUM,0.0005699999746866524,false,,false,false,false,,false,false,2024-08-20T05:30:03.314Z,0
CVE-2024-1798,https://securityvulnerability.io/vulnerability/CVE-2024-1798,Unauthorized Access to Data through Missing Capability Check in Tutor LMS Migration Tool,"The Tutor LMS – Migration Tool plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the tutor_lp_export_xml function in all versions up to, and including, 2.2.0. This makes it possible for unauthenticated attackers to export courses, including private and password protected courses.",Wordpress,Tutor Lms – Migration Tool,5.3,MEDIUM,0.0004600000102072954,false,,false,false,false,,false,false,2024-07-27T02:15:00.000Z,0
CVE-2024-1804,https://securityvulnerability.io/vulnerability/CVE-2024-1804,Unauthorized Modification of Data in The Tutor LMS Migration Tool Plugin,"The Tutor LMS – Migration Tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tutor_import_from_xml function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to import courses.",Wordpress,Tutor Lms – Migration Tool,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-07-27T02:15:00.000Z,0
CVE-2024-5438,https://securityvulnerability.io/vulnerability/CVE-2024-5438,Arbitrary Quiz Attempt Deletion Vulnerability in The Tutor LMS,"The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.7.1 via the 'attempt_delete' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Instructor-level access and above, to delete arbitrary quiz attempts.",Wordpress,Tutor Lms – Elearning And Online Course Solution,4.3,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-06-07T12:33:42.892Z,0
CVE-2024-4902,https://securityvulnerability.io/vulnerability/CVE-2024-4902,Time-Based SQL Injection Vulnerability in The Tutor LMS,"The Tutor LMS plugin for WordPress is susceptible to a time-based SQL Injection through the 'course_id' parameter. This vulnerability arises from insufficient escaping of user-supplied data and inadequate preparation of existing SQL queries. Authenticated users, particularly those with admin privileges, can exploit this flaw to append additional SQL queries to legitimate requests, potentially leading to unauthorized access and extraction of sensitive data from the database. This poses significant risks to the integrity and confidentiality of user information within affected sites.",Wordpress,Tutor Lms – Elearning And Online Course Solution,7.2,HIGH,0.0006399999838322401,false,,false,false,false,,false,false,2024-06-07T04:33:25.127Z,0
CVE-2024-4352,https://securityvulnerability.io/vulnerability/CVE-2024-4352,Unauthorized Access and SQL Injection Vulnerabilities in Tutor LMS Pro Plugin for WordPress,"The Tutor LMS Pro plugin for WordPress is susceptible to unauthorized data access and SQL Injection due to a missing capability check within the 'get_calendar_materials' function. This flaw permits authenticated attackers, even those with subscription-level permissions, to exploit the vulnerable function. Attackers can manipulate the 'year' parameter, leading to inadequate escaping of user-supplied values and insufficient SQL query preparation. Such exploitation can enable unauthorized modification and extraction of sensitive data, posing significant security risks for WordPress sites using this plugin.",Wordpress,Tutor Lms Pro,8.8,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,2024-05-16T09:32:12.341Z,0
CVE-2024-4222,https://securityvulnerability.io/vulnerability/CVE-2024-4222,Unauthorized Access to Data in Tutor LMS Pro Plugin for WordPress,"The Tutor LMS Pro plugin for WordPress has a vulnerability that allows unauthorized users to gain access to sensitive data and perform unauthorized actions within the system. This issue arises from a missing capability check across multiple functions, impacting all versions up to and including 2.7.0. As a result, unauthenticated attackers can modify or delete user metadata and alter plugin options, raising significant concerns regarding the integrity and security of user data.",Wordpress,Tutor Lms Pro,8.2,HIGH,0.0004799999878741801,false,,false,false,false,,false,false,2024-05-16T09:32:11.833Z,0
CVE-2024-4351,https://securityvulnerability.io/vulnerability/CVE-2024-4351,Unauthorized Access to Data in Tutor LMS Pro Plugin for WordPress,"The Tutor LMS Pro plugin for WordPress is susceptible to an unauthorized access flaw due to a lack of capability checks within the 'authenticate' function. This vulnerability, present in all versions up to and including 2.7.0, allows authenticated users, even those with subscriber-level permissions, to potentially manipulate or take control of an administrator account. Given the expansive use of the plugin, this security issue raises serious concerns about data integrity and user privacy across affected WordPress installations.",Wordpress,Tutor Lms Pro,8.8,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,2024-05-16T09:32:11.196Z,0
CVE-2024-4223,https://securityvulnerability.io/vulnerability/CVE-2024-4223,Unauthorized Access to Data in Tutor LMS Plugin for WordPress,"The Tutor LMS plugin for WordPress is susceptible to unauthorized data access due to a missing capability check across multiple functions. This vulnerability allows unauthenticated attackers the ability to add, modify, or delete data. The issue affects all versions of the Tutor LMS plugin up to and including version 2.7.0, posing significant risks for WordPress users who rely on this plugin for their educational platforms.",Wordpress,Tutor Lms – Elearning And Online Course Solution,9.8,CRITICAL,0.0004299999854993075,false,,false,false,false,,false,false,2024-05-16T08:32:50.538Z,0
CVE-2024-4318,https://securityvulnerability.io/vulnerability/CVE-2024-4318,Tutor LMS Plugin Vulnerable to SQL Injection,"The Tutor LMS plugin for WordPress is susceptible to a time-based SQL Injection vulnerability through the 'question_id' parameter, impacting versions up to and including 2.7.0. This vulnerability stems from inadequate escaping of user-supplied input and insufficient preparation of existing SQL queries. Authenticated attackers with Instructor-level permissions or higher can exploit this vulnerability by appending additional SQL queries to the original ones, thereby gaining unauthorized access to sensitive database information.",Wordpress,Tutor Lms – Elearning And Online Course Solution,6.5,MEDIUM,0.0006099999882280827,false,,false,false,false,,false,false,2024-05-16T05:33:27.607Z,0
CVE-2024-4279,https://securityvulnerability.io/vulnerability/CVE-2024-4279,Arbitrary Course Deletion Vulnerability in The Tutor LMS,"The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutor_course_delete' function due to missing validation on a user controlled key. This can allow authenticated attackers, with Instructor-level permissions and above, to delete any course.",Wordpress,Tutor Lms – Elearning And Online Course Solution,6.5,MEDIUM,0.000539999979082495,false,,false,false,false,,false,false,2024-05-16T05:33:25.813Z,0
CVE-2024-3553,https://securityvulnerability.io/vulnerability/CVE-2024-3553,Unauthorized Modification of Data in Tutor LMS Plugin Could Enable User Registration,"The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the hide_notices function in all versions up to, and including, 2.6.2. This makes it possible for unauthenticated attackers to enable user registration on sites that may have it disabled.",Wordpress,Tutor Lms – Elearning And Online Course Solution,6.5,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-05-02T16:52:53.256Z,0
CVE-2024-3994,https://securityvulnerability.io/vulnerability/CVE-2024-3994,Stored Cross-Site Scripting Vulnerability in The Tutor LMS Plugin,"The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tutor_instructor_list' shortcode in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,Tutor Lms – Elearning And Online Course Solution,5.4,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-04-25T09:29:58.460Z,0
CVE-2024-1503,https://securityvulnerability.io/vulnerability/CVE-2024-1503,Cross-Site Request Forgery in Tutor LMS Plugin for WordPress,"The Tutor LMS plugin for WordPress is susceptible to Cross-Site Request Forgery (CSRF) due to inadequate nonce validation in the erase_tutor_data() function. This vulnerability allows unauthenticated attackers to disable the plugin and erase course-related data, assuming they can trick an administrator into executing a malicious request, particularly if the 'Erase upon uninstallation' option is activated. Site administrators must be vigilant to avoid inadvertently executing harmful actions that could compromise their eLearning environments.",Wordpress,Tutor Lms,,,0.0004299999854993075,false,,false,false,false,,false,false,2024-03-21T02:51:00.000Z,0
CVE-2024-1502,https://securityvulnerability.io/vulnerability/CVE-2024-1502,Unauthorized Data Deletion Vulnerability in Tutor LMS Plugin by WordPress,"The Tutor LMS plugin for WordPress has a significant vulnerability that permits authenticated users with subscriber-level access and higher to delete posts due to a missing capability check in the tutor_delete_announcement() function. This flaw is present in all versions of the plugin up to and including version 2.6.1, potentially leading to unauthorized data loss and disruption of services for website administrators and users.",Wordpress,Tutor Lms,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-03-21T02:51:00.000Z,0
CVE-2024-1751,https://securityvulnerability.io/vulnerability/CVE-2024-1751,Time-Based SQL Injection Vulnerability in The Tutor LMS,"The Tutor LMS plugin for WordPress presents a security vulnerability related to time-based SQL Injection, specifically through the question_id parameter. This flaw arises from inadequate escaping of user-supplied input and insufficient preparation of existing SQL queries. Authenticated attackers possessing subscriber or higher access can manipulate SQL queries to append harmful instructions, potentially leading to unauthorized extraction of sensitive information from the database. This vulnerability impacts all versions leading up to and including 2.6.1, necessitating prompt action for users to safeguard their installations.",Wordpress,Tutor Lms – Elearning And Online Course Solution,8.8,HIGH,0.00044999999227002263,false,,false,false,false,,false,false,2024-03-13T15:27:26.103Z,0
CVE-2024-1128,https://securityvulnerability.io/vulnerability/CVE-2024-1128,HTML Injection in Tutor LMS Plugin for WordPress,"The Tutor LMS plugin for WordPress is affected by a critical vulnerability that allows authenticated users to inject arbitrary HTML code into a site through its Q&A functionality. This issue arises due to inadequate sanitization of HTML inputs, potentially allowing attackers with 'Student' access and higher to manipulate the site's content. While not allowing Cross-Site Scripting, this vulnerability poses a significant risk to the integrity of web pages, necessitating prompt attention from site administrators to secure their installations.",Wordpress,Tutor LMS – eLearning and online course solution,3.5,LOW,0.0004799999878741801,false,,false,false,false,,false,false,2024-02-29T01:43:00.000Z,0
CVE-2024-1133,https://securityvulnerability.io/vulnerability/CVE-2024-1133,Unauthorized Access to Restricted Q&A Content in Tutor LMS,"The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of restricted Q&A content due to a missing capability check when interacting with questions in all versions up to, and including, 2.6.0. This makes it possible for authenticated attackers, with subscriber access or higher, to interact with questions in courses in which they are not enrolled including private courses.",Wordpress,Tutor LMS – eLearning and online course solution,4.3,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-02-29T01:43:00.000Z,0
CVE-2023-4805,https://securityvulnerability.io/vulnerability/CVE-2023-4805,Tutor LMS < 2.3.0 - Subscriber+ Stored Cross-Site Scripting,"The Tutor LMS WordPress plugin before 2.3.0 does not sanitise and escape some of its settings, which could allow users such as subscriber to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)",Wordpress,Tutor LMS,5.4,MEDIUM,0.0005200000014156103,false,,false,false,false,,false,false,2023-10-16T20:15:00.000Z,0
CVE-2023-3133,https://securityvulnerability.io/vulnerability/CVE-2023-3133,Tutor LMS < 2.2.1 - Unauthenticated Access to Tutor LMS Lesson Resources via REST API,"The Tutor LMS plugin for WordPress prior to version 2.2.1 contains a vulnerability where inadequate permission checks are enforced on REST API endpoints. This flaw allows unauthenticated attackers to access sensitive lesson information that should not be publicly accessible, potentially exposing sensitive educational content to unauthorized users. It is essential for site administrators to update to the latest version to mitigate this risk.",Wordpress,Tutor Lms,7.5,HIGH,0.0029200001154094934,false,,false,false,false,,false,false,2023-07-04T08:15:00.000Z,0