Vulnerabilities > Themeum > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-08-12 | CVE-2024-43231 | Cross-site Scripting vulnerability in Themeum Tutor LMS Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themeum Tutor LMS allows Stored XSS.This issue affects Tutor LMS: from n/a through 2.7.3. | 5.4 |
| 2024-07-27 | CVE-2024-1798 | Missing Authorization vulnerability in Themeum Tutor LMS - Migration Tool The Tutor LMS – Migration Tool plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the tutor_lp_export_xml function in all versions up to, and including, 2.2.0. | 5.3 |
| 2024-07-27 | CVE-2024-1804 | Missing Authorization vulnerability in Themeum Tutor LMS - Migration Tool The Tutor LMS – Migration Tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tutor_import_from_xml function in all versions up to, and including, 2.2.0. | 4.3 |
| 2024-07-20 | CVE-2024-37947 | Unspecified vulnerability in Themeum Tutor LMS Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themeum Tutor LMS allows Stored XSS.This issue affects Tutor LMS: from n/a through 2.7.2. | 4.8 |
| 2024-06-07 | CVE-2024-5438 | Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.7.1 via the 'attempt_delete' function due to missing validation on a user controlled key. | 4.3 |
| 2024-05-16 | CVE-2024-4279 | Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference to Arbitrary Course Deletion in versions up to, and including, 2.7.0 via the 'tutor_course_delete' function due to missing validation on a user controlled key. | 6.5 |
| 2024-05-16 | CVE-2024-4318 | SQL Injection vulnerability in Themeum Tutor LMS The Tutor LMS plugin for WordPress is vulnerable to time-based SQL Injection via the ‘question_id’ parameter in versions up to, and including, 2.7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. | 6.5 |
| 2024-04-25 | CVE-2024-3994 | Cross-site Scripting vulnerability in Themeum Tutor LMS The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'tutor_instructor_list' shortcode in all versions up to, and including, 2.6.2 due to insufficient input sanitization and output escaping on user supplied attributes. | 5.4 |
| 2024-03-27 | CVE-2024-29913 | Unspecified vulnerability in Themeum Tutor LMS Elementor Addons Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Tutor LMS Elementor Addons allows Stored XSS.This issue affects Tutor LMS Elementor Addons: from n/a through 2.1.3. | 5.4 |
| 2024-03-21 | CVE-2024-1502 | Missing Authorization vulnerability in Themeum Tutor LMS The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the tutor_delete_announcement() function in all versions up to, and including, 2.6.1. | 4.3 |