Which Tutor LMS – eLearning and online course solution CVEs are tracked?

Tutor LMS – eLearning and online course solution tracked CVEs include CVE-2024-4223, CVE-2023-25700, CVE-2024-4318, CVE-2024-1751, and CVE-2023-25800.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 66 known issues Latest disclosed Apr 16, 2026

Tutor LMS – eLearning and online course solution Vulnerabilities

Q: How many Tutor LMS – eLearning and online course solution vulnerabilities have patch guidance?

66 of 66 tracked Tutor LMS – eLearning and online course solution records include a published patch path.

Review known vulnerability records for the WordPress plugin Tutor LMS – eLearning and online course solution (`tutor`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-6080, CVE-2026-5502 and CVE-2026-3371, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Apr 17, 2026

Priority CVE Quick Links

Fast paths into Tutor LMS – eLearning and online course solution CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2024-4223 Critical 2.7.1

CVE-2024-4223 Tutor LMS – eLearning and online course solution Vulnerability

Tutor LMS <= 2.7.0 - Missing Authorization

CVE-2023-25700 Critical 2.2.0

CVE-2023-25700 Tutor LMS – eLearning and online course solution SQL Injection

Tutor LMS <= 2.1.10 - Unauthenticated SQL Injection

CVE-2024-4318 High 2.7.1

CVE-2024-4318 Tutor LMS – eLearning and online course solution SQL Injection

Tutor LMS <= 2.7.0 - Authenticated (Instructor+) SQL Injection

CVE-2024-1751 High 2.6.2

CVE-2024-1751 Tutor LMS – eLearning and online course solution SQL Injection

Tutor LMS – eLearning and online course solution <= 2.6.1 - Authenticated (Subscriber+) SQL Injection

CVE-2023-25800 High 2.2.1

CVE-2023-25800 Tutor LMS – eLearning and online course solution SQL Injection

Tutor LMS <= 2.2.0 - Authenticated (Student+) SQL Injection

CVE-2023-25990 High 2.2.0

CVE-2023-25990 Tutor LMS – eLearning and online course solution SQL Injection

Tutor LMS <= 2.1.10 - Authenticated (Tutor Instructor+) SQL Injection

CVE-2021-24186 High 1.8.3

CVE-2021-24186 Tutor LMS – eLearning and online course solution SQL Injection

Tutor LMS <=1.8.2 - SQL Injection via tutor_answering_quiz_question/get_answer_by_id

CVE-2021-24182 High 1.8.3

CVE-2021-24182 Tutor LMS – eLearning and online course solution SQL Injection

Tutor LMS <=1.8.2 - SQL Injection via tutor_quiz_builder_get_answers_by_question

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Tutor LMS – eLearning and online course solution so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

66 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

2 critical and 16 high severity findings.

Recent CVEs

CVE-2026-6080, CVE-2026-5502 and CVE-2026-3371

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-6080 Medium Patch path listed

CVE-2026-6080: Tutor LMS <= 3.9.8 - Authenticated (Admin+) SQL Injection via 'date' Parameter

The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct int...

Published

Apr 16, 2026

Patch Status

3.9.9

Open CVE-2026-6080 Report

CVE-2026-5502 Medium Patch path listed

CVE-2026-5502: Tutor LMS <= 3.9.8 - Authenticated (Subscriber+) Arbitrary Course Content Manipulation via tutor_update_course_content_order

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a mi...

Published

Apr 16, 2026

Patch Status

3.9.9

Open CVE-2026-5502 Report

CVE-2026-3371 Medium Patch path listed

CVE-2026-3371: Tutor LMS <= 3.9.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Course Content Modification

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missin...

Published

Apr 10, 2026

Patch Status

3.9.8

Open CVE-2026-3371 Report

Known Vulnerabilities

Reports for Tutor LMS – eLearning and online course solution

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-6080

CVE-2026-6080: Tutor LMS <= 3.9.8 - Authenticated (Admin+) SQL Injection via 'date' Parameter

The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb->prepare(). This makes it poss...

Published

Apr 16, 2026

Patched Release

3.9.9

Affected Versions

Versions up to 3.9.8

Next Step

Update to 3.9.9 or newer if supported.

Open CVE-2026-6080 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-5502

CVE-2026-5502: Tutor LMS <= 3.9.8 - Authenticated (Subscriber+) Arbitrary Course Content Manipulation via tutor_update_course_content_order

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutor_update_course_content_order() function. The functio...

Published

Apr 16, 2026

Patched Release

3.9.9

Affected Versions

Versions up to 3.9.8

Next Step

Update to 3.9.9 or newer if supported.

Open CVE-2026-5502 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-3371

CVE-2026-3371: Tutor LMS <= 3.9.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Course Content Modification

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is calle...

Published

Apr 10, 2026

Patched Release

3.9.8

Affected Versions

Versions up to 3.9.7

Next Step

Update to 3.9.8 or newer if supported.

Open CVE-2026-3371 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-3358

CVE-2026-3358: Tutor LMS <= 3.9.7 - Missing Authorization to Authenticated (Subscriber+) Unauthorized Private Course Enrollment

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions....

Published

Apr 10, 2026

Patched Release

3.9.8

Affected Versions

Versions up to 3.9.7

Next Step

Update to 3.9.8 or newer if supported.

Open CVE-2026-3358 Report Open CVE Reference

Plugin High Patched: Yes CVE-2026-3360

CVE-2026-3360: Tutor LMS <= 3.9.7 - Missing Authorization to Unauthenticated Arbitrary Billing Profile Overwrite via 'order_id' Parameter

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()` function. The...

Published

Apr 09, 2026

Patched Release

3.9.8

Affected Versions

Versions up to 3.9.7

Next Step

Update to 3.9.8 or newer if supported.

Open CVE-2026-3360 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-32223

CVE-2025-32223: Tutor LMS – eLearning and online course solution <= 3.9.4 - Authenticated (Subscriber+) Insecure Direct Object Reference

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.4 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Sub...

Published

Mar 16, 2026

Patched Release

3.9.5

Affected Versions

Versions up to 3.9.4

Next Step

Update to 3.9.5 or newer if supported.

Open CVE-2025-32223 Report Open CVE Reference

Plugin High Patched: Yes CVE-2025-13673

CVE-2025-13673: Tutor LMS <= 3.9.6 - Unauthenticated SQL Injection via coupon_code

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on t...

Published

Feb 27, 2026

Patched Release

3.9.7

Affected Versions

Versions up to 3.9.6

Next Step

Update to 3.9.7 or newer if supported.

Open CVE-2025-13673 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-23799

CVE-2026-23799: Tutor LMS – eLearning and online course solution <= 3.9.5 - Missing Authorization

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.9.5. This makes it possible for authenticated attackers, with Subscriber-level ac...

Published

Feb 25, 2026

Patched Release

3.9.6

Affected Versions

Versions up to 3.9.5

Next Step

Update to 3.9.6 or newer if supported.

Open CVE-2026-23799 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-1371

CVE-2026-1371: Tutor LMS <= 3.9.5 - Authenticated (Subscriber+) Information Disclosure in Coupon Details via 'tutor_coupon_details' AJAX Action

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces...

Published

Feb 02, 2026

Patched Release

3.9.6

Affected Versions

Versions up to 3.9.5

Next Step

Update to 3.9.6 or newer if supported.

Open CVE-2026-1371 Report Open CVE Reference

Plugin High Patched: Yes CVE-2026-1375

CVE-2026-1375: Tutor LMS <= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_dele...

Published

Feb 02, 2026

Patched Release

3.9.6

Affected Versions

Versions up to 3.9.5

Next Step

Update to 3.9.6 or newer if supported.

Open CVE-2026-1375 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-0548

CVE-2026-0548: Tutor LMS – eLearning and online course solution <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authe...

Published

Jan 20, 2026

Patched Release

3.9.5

Affected Versions

Versions up to 3.9.4

Next Step

Update to 3.9.5 or newer if supported.

Open CVE-2026-0548 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-13628

CVE-2025-13628: Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon Modification

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3...

Published

Jan 08, 2026

Patched Release

3.9.4

Affected Versions

Versions up to 3.9.3

Next Step

Update to 3.9.4 or newer if supported.

Open CVE-2025-13628 Report Open CVE Reference