cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-10400,https://securityvulnerability.io/vulnerability/CVE-2024-10400,SQL Injection Vulnerability in Tutor LMS Plugin for WordPress Could Leak Sensitive Data,"The Tutor LMS plugin for WordPress is vulnerable to an SQL injection attack through the 'rating_filter' parameter in all versions up to and including 2.7.6. This vulnerability arises from inadequate escaping of user-supplied parameters, allowing unauthenticated attackers to inject additional SQL queries. By exploiting this weakness, adversaries can manipulate existing SQL queries, potentially exposing sensitive information stored in the database and compromising the security of the application.",Wordpress,Tutor Lms – Elearning And Online Course Solution,7.5,HIGH,0.0006000000284984708,false,,false,false,true,true,false,false,2024-11-21T07:35:36.980Z,611
CVE-2024-10393,https://securityvulnerability.io/vulnerability/CVE-2024-10393,Unauthenticated Attackers Can Bypass User Registration in Tutor LMS Plugin for WordPress,"The Tutor LMS plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 2.7.6. This is due to a missing check for the 'users_can_register' option in the 'register_instructor' function. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled.",Wordpress,Tutor Lms – Elearning And Online Course Solution,5.3,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-11-21T06:49:54.320Z,0
CVE-2023-2919,https://securityvulnerability.io/vulnerability/CVE-2023-2919,Tutor LMS <= 2.7.4 - Cross-Site Request Forgery via 'addon_enable_disable',"The Tutor LMS plugin for WordPress has a vulnerability that allows Cross-Site Request Forgery due to improper nonce validation within the 'addon_enable_disable' functionality. This issue affects versions up to and including 2.7.4 and permits unauthenticated attackers to alter addon states by tricking a site administrator into unintentionally performing a specific action, such as clicking on a malicious link. As a result, critical functions within the plugin could be maliciously manipulated without proper authorization.",Wordpress,Tutor Lms – Elearning And Online Course Solution,4.3,MEDIUM,0.0005200000014156103,false,,false,false,false,,false,false,2024-09-10T09:30:19.274Z,0
CVE-2024-5438,https://securityvulnerability.io/vulnerability/CVE-2024-5438,Arbitrary Quiz Attempt Deletion Vulnerability in The Tutor LMS,"The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.7.1 via the 'attempt_delete' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Instructor-level access and above, to delete arbitrary quiz attempts.",Wordpress,Tutor Lms – Elearning And Online Course Solution,4.3,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-06-07T12:33:42.892Z,0
CVE-2024-4902,https://securityvulnerability.io/vulnerability/CVE-2024-4902,Time-Based SQL Injection Vulnerability in The Tutor LMS,"The Tutor LMS plugin for WordPress is susceptible to a time-based SQL Injection through the 'course_id' parameter. This vulnerability arises from insufficient escaping of user-supplied data and inadequate preparation of existing SQL queries. Authenticated users, particularly those with admin privileges, can exploit this flaw to append additional SQL queries to legitimate requests, potentially leading to unauthorized access and extraction of sensitive data from the database. This poses significant risks to the integrity and confidentiality of user information within affected sites.",Wordpress,Tutor Lms – Elearning And Online Course Solution,7.2,HIGH,0.0006399999838322401,false,,false,false,false,,false,false,2024-06-07T04:33:25.127Z,0
CVE-2024-4223,https://securityvulnerability.io/vulnerability/CVE-2024-4223,Unauthorized Access to Data in Tutor LMS Plugin for WordPress,"The Tutor LMS plugin for WordPress is susceptible to unauthorized data access due to a missing capability check across multiple functions. This vulnerability allows unauthenticated attackers the ability to add, modify, or delete data. The issue affects all versions of the Tutor LMS plugin up to and including version 2.7.0, posing significant risks for WordPress users who rely on this plugin for their educational platforms.",Wordpress,Tutor Lms – Elearning And Online Course Solution,9.8,CRITICAL,0.0004299999854993075,false,,false,false,false,,false,false,2024-05-16T08:32:50.538Z,0
CVE-2024-4318,https://securityvulnerability.io/vulnerability/CVE-2024-4318,Tutor LMS Plugin Vulnerable to SQL Injection,"The Tutor LMS plugin for WordPress is susceptible to a time-based SQL Injection vulnerability through the 'question_id' parameter, impacting versions up to and including 2.7.0. This vulnerability stems from inadequate escaping of user-supplied input and insufficient preparation of existing SQL queries. Authenticated attackers with Instructor-level permissions or higher can exploit this vulnerability by appending additional SQL queries to the original ones, thereby gaining unauthorized access to sensitive database information.",Wordpress,Tutor Lms – Elearning And Online Course Solution,6.5,MEDIUM,0.0006099999882280827,false,,false,false,false,,false,false,2024-05-16T05:33:27.607Z,0
CVE-2024-4279,https://securityvulnerability.io/vulnerability/CVE-2024-4279,Arbitrary Course Deletion Vulnerability in The Tutor LMS,"The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutor_course_delete' function due to missing validation on a user controlled key. This can allow authenticated attackers, with Instructor-level permissions and above, to delete any course.",Wordpress,Tutor Lms – Elearning And Online Course Solution,6.5,MEDIUM,0.000539999979082495,false,,false,false,false,,false,false,2024-05-16T05:33:25.813Z,0
CVE-2024-3553,https://securityvulnerability.io/vulnerability/CVE-2024-3553,Unauthorized Modification of Data in Tutor LMS Plugin Could Enable User Registration,"The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the hide_notices function in all versions up to, and including, 2.6.2. This makes it possible for unauthenticated attackers to enable user registration on sites that may have it disabled.",Wordpress,Tutor Lms – Elearning And Online Course Solution,6.5,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-05-02T16:52:53.256Z,0
CVE-2024-3994,https://securityvulnerability.io/vulnerability/CVE-2024-3994,Stored Cross-Site Scripting Vulnerability in The Tutor LMS Plugin,"The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tutor_instructor_list' shortcode in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,Tutor Lms – Elearning And Online Course Solution,5.4,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-04-25T09:29:58.460Z,0
CVE-2024-1751,https://securityvulnerability.io/vulnerability/CVE-2024-1751,Time-Based SQL Injection Vulnerability in The Tutor LMS,"The Tutor LMS plugin for WordPress presents a security vulnerability related to time-based SQL Injection, specifically through the question_id parameter. This flaw arises from inadequate escaping of user-supplied input and insufficient preparation of existing SQL queries. Authenticated attackers possessing subscriber or higher access can manipulate SQL queries to append harmful instructions, potentially leading to unauthorized extraction of sensitive information from the database. This vulnerability impacts all versions leading up to and including 2.6.1, necessitating prompt action for users to safeguard their installations.",Wordpress,Tutor Lms – Elearning And Online Course Solution,8.8,HIGH,0.00044999999227002263,false,,false,false,false,,false,false,2024-03-13T15:27:26.103Z,0
CVE-2024-1128,https://securityvulnerability.io/vulnerability/CVE-2024-1128,HTML Injection in Tutor LMS Plugin for WordPress,"The Tutor LMS plugin for WordPress is affected by a critical vulnerability that allows authenticated users to inject arbitrary HTML code into a site through its Q&A functionality. This issue arises due to inadequate sanitization of HTML inputs, potentially allowing attackers with 'Student' access and higher to manipulate the site's content. While not allowing Cross-Site Scripting, this vulnerability poses a significant risk to the integrity of web pages, necessitating prompt attention from site administrators to secure their installations.",Wordpress,Tutor LMS – eLearning and online course solution,3.5,LOW,0.0004799999878741801,false,,false,false,false,,false,false,2024-02-29T01:43:00.000Z,0
CVE-2024-1133,https://securityvulnerability.io/vulnerability/CVE-2024-1133,Unauthorized Access to Restricted Q&A Content in Tutor LMS,"The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of restricted Q&A content due to a missing capability check when interacting with questions in all versions up to, and including, 2.6.0. This makes it possible for authenticated attackers, with subscriber access or higher, to interact with questions in courses in which they are not enrolled including private courses.",Wordpress,Tutor LMS – eLearning and online course solution,4.3,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-02-29T01:43:00.000Z,0
CVE-2022-2563,https://securityvulnerability.io/vulnerability/CVE-2022-2563,Tutor LMS < 2.0.10 - Admin+ Stored Cross-Site Scripting,"The Tutor LMS WordPress plugin before 2.0.10 does not escape some course parameters, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)",Wordpress,Tutor Lms – Elearning And Online Course Solution,4.8,MEDIUM,0.000539999979082495,false,,false,false,false,,false,false,2022-10-17T00:00:00.000Z,0
CVE-2021-25017,https://securityvulnerability.io/vulnerability/CVE-2021-25017,Tutor LMS < 1.9.12 - Reflected Cross-Site Scripting,"The Tutor LMS WordPress plugin before 1.9.12 does not escape the search parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting",Wordpress,Tutor Lms – Elearning And Online Course Solution,6.1,MEDIUM,0.0007399999885819852,false,,false,false,false,,false,false,2022-01-24T08:01:11.000Z,0
CVE-2021-24873,https://securityvulnerability.io/vulnerability/CVE-2021-24873,Tutor LMS < 1.9.11 - Reflected Cross-Site Scripting,"The Tutor LMS WordPress plugin before 1.9.11 does not sanitise and escape user input before outputting back in attributes in the Student Registration page, leading to a Reflected Cross-Site Scripting issue",Wordpress,Tutor Lms – Elearning And Online Course Solution,6.1,MEDIUM,0.0006600000197067857,false,,false,false,false,,false,false,2021-11-23T19:16:14.000Z,0
CVE-2021-24740,https://securityvulnerability.io/vulnerability/CVE-2021-24740,Tutor LMS < 1.9.9 - Multiple Admin+ Stored Cross-Site Scripting,"The Tutor LMS WordPress plugin before 1.9.9 does not escape some of its settings before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.",Wordpress,Tutor Lms – Elearning And Online Course Solution,4.8,MEDIUM,0.000539999979082495,false,,false,false,false,,false,false,2021-10-18T13:46:07.000Z,0
CVE-2021-24455,https://securityvulnerability.io/vulnerability/CVE-2021-24455,Tutor LMS < 1.9.2 - Authenticated Stored Cross-Site Scripting (XSS),"The Tutor LMS – eLearning and online course solution WordPress plugin before 1.9.2 did not escape the Summary field of Announcements (when outputting it in an attribute), which can be created by users as low as Tutor Instructor. This lead to a Stored Cross-Site Scripting issue, which is triggered when viewing the Announcements list, and could result in privilege escalation when viewed by an admin.",Wordpress,Tutor Lms – Elearning And Online Course Solution,5.4,MEDIUM,0.000539999979082495,false,,false,false,false,,false,false,2021-08-02T10:32:01.000Z,0
CVE-2021-24242,https://securityvulnerability.io/vulnerability/CVE-2021-24242,Tutor LMS < 1.8.8 - Authenticated Local File Inclusion,"The Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.8 is affected by a local file inclusion vulnerability through the maliciously constructed sub_page parameter of the plugin's Tools, allowing high privilege users to include any local php file",Wordpress,Tutor Lms – Elearning And Online Course Solution,3.8,LOW,0.0007300000288523734,false,,false,false,false,,false,false,2021-04-22T21:00:51.000Z,0
CVE-2021-24181,https://securityvulnerability.io/vulnerability/CVE-2021-24181,Tutor LMS < 1.7.7 - SQL Injection via tutor_mark_answer_as_correct,The tutor_mark_answer_as_correct AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be exploited by students.,Wordpress,Tutor Lms – Elearning And Online Course Solution,6.5,MEDIUM,0.0016799999866634607,false,,false,false,false,,false,false,2021-04-05T18:27:45.000Z,0
CVE-2021-24186,https://securityvulnerability.io/vulnerability/CVE-2021-24186,Tutor LMS < 1.8.3 - SQL Injection via tutor_answering_quiz_question/get_answer_by_id,The tutor_answering_quiz_question/get_answer_by_id function pair from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students.,Wordpress,Tutor Lms – Elearning And Online Course Solution,6.5,MEDIUM,0.0016799999866634607,false,,false,false,false,,false,false,2021-04-05T18:27:45.000Z,0
CVE-2021-24184,https://securityvulnerability.io/vulnerability/CVE-2021-24184,Tutor LMS < 1.7.7 - Unprotected AJAX including Privilege Escalation,"Several AJAX endpoints in the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 were unprotected, allowing students to modify course information and elevate their privileges among many other actions.",Wordpress,Tutor Lms – Elearning And Online Course Solution,8.8,HIGH,0.002240000059828162,false,,false,false,false,,false,false,2021-04-05T18:27:45.000Z,0
CVE-2021-24183,https://securityvulnerability.io/vulnerability/CVE-2021-24183,Tutor LMS < 1.8.3 - SQL Injection via tutor_quiz_builder_get_question_form,The tutor_quiz_builder_get_question_form AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students.,Wordpress,Tutor Lms – Elearning And Online Course Solution,6.5,MEDIUM,0.0016799999866634607,false,,false,false,false,,false,false,2021-04-05T18:27:45.000Z,0
CVE-2021-24182,https://securityvulnerability.io/vulnerability/CVE-2021-24182,Tutor LMS < 1.8.3 - SQL Injection via tutor_quiz_builder_get_answers_by_question,The tutor_quiz_builder_get_answers_by_question AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students.,Wordpress,Tutor Lms – Elearning And Online Course Solution,6.5,MEDIUM,0.0016799999866634607,false,,false,false,false,,false,false,2021-04-05T18:27:45.000Z,0
CVE-2021-24185,https://securityvulnerability.io/vulnerability/CVE-2021-24185,Tutor LMS < 1.7.7 - SQL Injection via tutor_place_rating,The tutor_place_rating AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be exploited by students.,Wordpress,Tutor Lms – Elearning And Online Course Solution,6.5,MEDIUM,0.0016799999866634607,false,,false,false,false,,false,false,2021-04-05T18:27:45.000Z,0