Vulnerabilities > Themeum

DATE CVE VULNERABILITY TITLE RISK
2022-01-24 CVE-2021-25013 Cross-Site Request Forgery (CSRF) vulnerability in Themeum Qubely
The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts
network
low complexity
themeum CWE-352
6.5
2022-01-24 CVE-2021-25017 Unspecified vulnerability in Themeum Tutor LMS
The Tutor LMS WordPress plugin before 1.9.12 does not escape the search parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
network
low complexity
themeum
6.1
2021-11-23 CVE-2021-24873 Unspecified vulnerability in Themeum Tutor LMS
The Tutor LMS WordPress plugin before 1.9.11 does not sanitise and escape user input before outputting back in attributes in the Student Registration page, leading to a Reflected Cross-Site Scripting issue
network
low complexity
themeum
6.1
2021-10-18 CVE-2021-24740 Cross-site Scripting vulnerability in Themeum Tutor LMS
The Tutor LMS WordPress plugin before 1.9.9 does not escape some of its settings before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.
network
low complexity
themeum CWE-79
4.8
2021-08-02 CVE-2021-24455 Unspecified vulnerability in Themeum Tutor LMS
The Tutor LMS – eLearning and online course solution WordPress plugin before 1.9.2 did not escape the Summary field of Announcements (when outputting it in an attribute), which can be created by users as low as Tutor Instructor.
network
low complexity
themeum
5.4
2021-04-22 CVE-2021-24242 Unspecified vulnerability in Themeum Tutor LMS
The Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.8 is affected by a local file inclusion vulnerability through the maliciously constructed sub_page parameter of the plugin's Tools, allowing high privilege users to include any local php file
network
low complexity
themeum
3.8
2021-04-05 CVE-2021-24208 Cross-site Scripting vulnerability in Themeum WP Page Builder
The editor of the WP Page Builder WordPress plugin before 1.2.4 allows lower-privileged users to insert unfiltered HTML, including JavaScript, into pages via the “Raw HTML” widget and the “Custom HTML” widgets (though the custom HTML widget requires sending a crafted request - it appears that this widget uses some form of client side validation but not server side validation), all of which are added via the “page_builder_data” parameter when performing the “wppb_page_save” AJAX action.
network
low complexity
themeum CWE-79
5.4
2021-04-05 CVE-2021-24207 Improper Privilege Management vulnerability in Themeum WP Page Builder
By default, the WP Page Builder WordPress plugin before 1.2.4 allows subscriber-level users to edit and make changes to any and all posts pages - user roles must be specifically blocked from editing posts and pages.
network
low complexity
themeum CWE-269
4.3
2021-04-05 CVE-2021-24186 SQL Injection vulnerability in Themeum Tutor LMS
The tutor_answering_quiz_question/get_answer_by_id function pair from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.8.3 was vulnerable to UNION based SQL injection that could be exploited by students.
network
low complexity
themeum CWE-89
6.5
2021-04-05 CVE-2021-24185 SQL Injection vulnerability in Themeum Tutor LMS
The tutor_place_rating AJAX action from the Tutor LMS – eLearning and online course solution WordPress plugin before 1.7.7 was vulnerable to blind and time based SQL injections that could be exploited by students.
network
low complexity
themeum CWE-89
6.5