GCVE - cpe:2.3:a:themeum:tutor_lms:*:*:*:*:free:wordpress:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:themeum:tutor_lms:*:*:*:*:free:wordpress:*:*

part: a version: * update: *

Vendor	Themeum (`12449a9f-b8a3-5f81-9e39-f958a6d45415`)
Product	Tutor Lms (`2fe227b0-846b-5837-98cd-fc776635d107`)
Edition	*
Language	*
Software edition	free
Target software	wordpress
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-6680`	vulnerable	2026-06-03 15:12:28.504157	Tutor LMS <= 3.8.3 - Missing Authorization to Sensitive Information Exposure MEDIUM (4.3) The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.8.3. This makes it possible for authenticated attackers, with tutor-level access and above, to view assignments for courses they don't teach which may contain sensitive information. Published: 2025-10-25T05:31:18.909Z Updated: 2026-04-08T16:38:16.474Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/1b8d88e4-a9dc-4740-b836-99f730beefcb?source=cve https://plugins.trac.wordpress.org/changeset/3382577/tutor/trunk/templates/dashboard/assignments/review.php?old=3249440&old_path=tutor%2Ftrunk%2Ftemplates%2Fdashboard%2Fassignments%2Freview.php	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-11564`	vulnerable	2026-06-03 14:58:42.692898	Tutor LMS – eLearning and online course solution <= 3.8.3 - Missing Authorization to Unauthenticated Payment Status Update MEDIUM (5.3) The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check while verifying webhook signatures on the "verifyAndCreateOrderData" function in all versions up to, and including, 3.8.3. This makes it possible for unauthenticated attackers to bypass payment verification and mark orders as paid by submitting forged webhook requests with `payment_type` set to 'recurring'. Published: 2025-10-25T05:31:19.940Z Updated: 2026-04-08T16:42:37.294Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/26289a93-063b-469a-9d09-c286d76fce0c?source=cve https://plugins.trac.wordpress.org/browser/tutor/tags/3.8.3/ecommerce/PaymentGateways/Paypal/src/Payments/Paypal/Paypal.php#L323	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-43142`	vulnerable	2026-06-03 14:56:44.580080	WordPress Tutor LMS plugin <= 2.7.3 - Broken Access Control vulnerability MEDIUM (4.3) Missing Authorization vulnerability in Themeum Tutor LMS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through 2.7.3. Published: 2024-11-01T14:17:46.601Z Updated: 2026-04-28T16:10:08.991Z Open on db.gcve.eu Reference links https://patchstack.com/database/vulnerability/tutor/wordpress-tutor-lms-plugin-2-7-3-broken-access-control-vulnerability?_s_id=cve	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.