Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

Tutor LMS – eLearning and online course solution — Vulnerabilities & Security Advisories 46

All 46 CVE vulnerabilities found in Tutor LMS – eLearning and online course solution, with AI-generated Chinese analysis, references, and POCs.

This page documents known security weaknesses associated with Tutor LMS, an eLearning and online course solution developed by Tutor LMS Inc. It aggregates vulnerability data covering a wide range of severity levels, including cross-site scripting, insecure direct object references, and authentication bypasses, specifically addressing issues reported and resolved between January 2019 and December 2024. The content is curated from official vendor advisories, public databases, and security research reports to ensure accuracy and comprehensiveness. By utilizing this resource, security professionals and administrators can track the historical trajectory of security advisories issued by the vendor, gaining insight into the evolution of their security posture over time. Users can also explore specific weakness classes to understand how they manifest within the Tutor LMS ecosystem, facilitating better risk assessment and mitigation strategies. Additionally, the page serves as a historical reference, allowing teams to look up a product's vulnerability history to identify recurring patterns or persistent issues that may require ongoing attention. This structured approach helps stakeholders prioritize patching efforts, improve configuration security, and maintain compliance with organizational security policies. The information provided is intended solely for defensive security purposes, aiding in the identification of potential entry points for attackers and enabling proactive defense measures against known exploits affecting this popular learning management system plugin.

Vendor: Unknown

CVE IDTitleCVSSSeverityPublished
CVE-2026-13443 Tutor LMS <= 3.9.13 - Authenticated (Author+) Stored Cross-Site Scripting via Lesson Attachment Title CWE-79 6.4 Medium2026-07-01
CVE-2026-10736 Tutor LMS <= 3.9.11 - Authenticated (Administrator+) SQL Injection via 'data' Parameter CWE-89 4.9 Medium2026-06-18
CVE-2026-6965 Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter CWE-639 5.3 Medium2026-05-13
CVE-2026-5502 Tutor LMS <= 3.9.8 - Authenticated (Subscriber+) Arbitrary Course Content Manipulation via tutor_update_course_content_order CWE-862 5.3 Medium2026-04-17
CVE-2026-6080 Tutor LMS <= 3.9.8 - Authenticated (Admin+) SQL Injection via 'date' Parameter CWE-89 6.5 Medium2026-04-17
CVE-2026-3371 Tutor LMS <= 3.9.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Course Content Modification CWE-639 4.3 Medium2026-04-11
CVE-2026-3358 Tutor LMS <= 3.9.7 - Missing Authorization to Authenticated (Subscriber+) Unauthorized Private Course Enrollment CWE-862 5.4 Medium2026-04-11
CVE-2026-3360 Tutor LMS <= 3.9.7 - Missing Authorization to Unauthenticated Arbitrary Billing Profile Overwrite via 'order_id' Parameter CWE-862 7.5 High2026-04-10
CVE-2025-13673 Tutor LMS <= 3.9.6 - Unauthenticated SQL Injection via coupon_code CWE-89 7.5 High2026-02-28
CVE-2026-1371 Tutor LMS <= 3.9.5 - Authenticated (Subscriber+) Information Disclosure in Coupon Details via 'tutor_coupon_details' AJAX Action CWE-200 5.3 Medium2026-02-03
CVE-2026-1375 Tutor LMS <= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion CWE-639 8.1 High2026-02-03
CVE-2026-0548 Tutor LMS – eLearning and online course solution <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion CWE-862 5.4 Medium2026-01-20
CVE-2025-13935 Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Course Completion CWE-862 4.3 Medium2026-01-09
CVE-2025-13934 Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Course Enrollment Bypass CWE-862 4.3 Medium2026-01-09
CVE-2025-13628 Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon Modification CWE-862 4.3 Medium2026-01-09
CVE-2025-13679 Tutor LMS <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via tutor_order_details CWE-862 6.5 Medium2026-01-08
CVE-2025-11564 Tutor LMS – eLearning and online course solution <= 3.8.3 - Missing Authorization to Unauthenticated Payment Status Update CWE-862 5.3 Medium2025-10-25
CVE-2025-6680 Tutor LMS <= 3.8.3 - Missing Authorization to Sensitive Information Exposure CWE-284 4.3 Medium2025-10-25
CVE-2024-10400 Tutor LMS <= 2.7.6 - Unauthenticated SQL Injection via rating_filter CWE-89 7.5 High2024-11-21
CVE-2024-10393 Tutor LMS <= 2.7.6 - User Registration Setting Bypass to Unauthorized User Registration CWE-284 5.3 Medium2024-11-21
CVE-2023-2919 Tutor LMS <= 2.7.4 - Cross-Site Request Forgery via 'addon_enable_disable' CWE-352 4.3 Medium2024-09-10
CVE-2024-5438 Tutor LMS – eLearning and online course solution <= 2.7.1 - Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Quiz Attempt Deletion CWE-639 4.3 Medium2024-06-07
CVE-2024-4902 Tutor LMS – eLearning and online course solution <= 2.7.1 -Authenticated (Administrator+) SQL Injection CWE-89 7.2 High2024-06-07
CVE-2024-4223 Tutor LMS <= 2.7.0 - Missing Authorization CWE-862 9.8 Critical2024-05-16
CVE-2024-4318 Tutor LMS <= 2.7.0 - Authenticated (Instructor+) SQL Injection CWE-89 8.8 High2024-05-16
CVE-2024-4279 Tutor LMS – eLearning and online course solution <= 2.7.0 - Authenticated (Instructor+) Insecure Direct Object Reference to Arbitrary Course Deletion CWE-639 6.5 Medium2024-05-16
CVE-2024-3553 Tutor LMS <= 2.6.2 - Missing Authorization to Unauthenticated Limited Options Update CWE-862 6.5 Medium2024-05-02
CVE-2024-3994 Tutor LMS – eLearning and online course solution <= 2.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'tutor_instructor_list' Shortcode CWE-79 5.4 Medium2024-04-25
CVE-2024-1751 Tutor LMS – eLearning and online course solution <= 2.6.1 - Authenticated (Subscriber+) SQL Injection CWE-89 8.8 High2024-03-13
CVE-2024-1502 Tutor LMS – eLearning and online course solution <= 2.6.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion CWE-862 5.4 Medium2024-03-12

All 46 known CVE vulnerabilities affecting Tutor LMS – eLearning and online course solution with full Chinese analysis, references, and POCs where available.