Skip to main content

Tutor Lms Pro

2 CVEs product

Monthly

CVE-2026-22332 CRITICAL Act Now

SQL injection in Tutor LMS Pro (Themeum) versions 3.9.6 and earlier allows remote unauthenticated attackers to inject arbitrary SQL against the underlying WordPress database. The CVSS 9.3 rating reflects a scope change with high confidentiality impact, meaning data accessible to the WordPress backend can be exposed. As of analysis, no public exploit identified at time of analysis, and the issue is tracked via Patchstack.

SQLi Tutor Lms Pro
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-25406 HIGH This Week

Authentication bypass in Tutor LMS Pro WordPress plugin (versions through 3.9.4) allows remote attackers to abuse authentication mechanisms via alternate paths, potentially gaining unauthorized administrative access. CVSS 8.1 reflects high attack complexity (AC:H) requiring specific conditions, yet successful exploitation grants complete system compromise (C:H/I:H/A:H). EPSS probability of 0.02% (6th percentile) indicates low observed exploitation activity. No active exploitation confirmed by CISA KEV. SSVC framework classifies this as non-automatable with total technical impact, making it a priority for organizations running this WordPress LMS plugin despite low real-world exploitation signals.

Authentication Bypass Tutor Lms Pro
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
EPSS 0% CVSS 9.3
CRITICAL Act Now

SQL injection in Tutor LMS Pro (Themeum) versions 3.9.6 and earlier allows remote unauthenticated attackers to inject arbitrary SQL against the underlying WordPress database. The CVSS 9.3 rating reflects a scope change with high confidentiality impact, meaning data accessible to the WordPress backend can be exposed. As of analysis, no public exploit identified at time of analysis, and the issue is tracked via Patchstack.

SQLi Tutor Lms Pro
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Authentication bypass in Tutor LMS Pro WordPress plugin (versions through 3.9.4) allows remote attackers to abuse authentication mechanisms via alternate paths, potentially gaining unauthorized administrative access. CVSS 8.1 reflects high attack complexity (AC:H) requiring specific conditions, yet successful exploitation grants complete system compromise (C:H/I:H/A:H). EPSS probability of 0.02% (6th percentile) indicates low observed exploitation activity. No active exploitation confirmed by CISA KEV. SSVC framework classifies this as non-automatable with total technical impact, making it a priority for organizations running this WordPress LMS plugin despite low real-world exploitation signals.

Authentication Bypass Tutor Lms Pro
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy