Tutor lms – elearning and online course solution

This hub aggregates every CVE we track for Tutor lms – elearning and online course solution, a product in the web cms plugins space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Tutor lms – elearning and online course solution.

• CVE-2026-10736Tutor LMS <= 3.9.11 - Authenticated (Administrator+) SQL Injection via 'data' Parameter4.9Jun 18, 2026
• CVE-2026-6965Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter5.3May 13, 2026
• CVE-2026-5502Tutor LMS <= 3.9.8 - Authenticated (Subscriber+) Arbitrary Course Content Manipulation via tutor_update_course_content_order5.3Apr 17, 2026
• CVE-2026-6080Tutor LMS <= 3.9.8 - Authenticated (Admin+) SQL Injection via 'date' Parameter6.5Apr 17, 2026
• CVE-2026-3371Tutor LMS <= 3.9.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Course Content Modification4.3Apr 11, 2026
• CVE-2026-3358Tutor LMS <= 3.9.7 - Missing Authorization to Authenticated (Subscriber+) Unauthorized Private Course Enrollment5.4Apr 11, 2026
• CVE-2026-3360Tutor LMS <= 3.9.7 - Missing Authorization to Unauthenticated Arbitrary Billing Profile Overwrite via 'order_id' Parameter7.5Apr 10, 2026
• CVE-2025-13673Tutor LMS <= 3.9.6 - Unauthenticated SQL Injection via coupon_code7.5Feb 28, 2026
• CVE-2026-1371Tutor LMS <= 3.9.5 - Authenticated (Subscriber+) Information Disclosure in Coupon Details via 'tutor_coupon_details' AJAX Action5.3Feb 3, 2026
• CVE-2026-1375Tutor LMS <= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion8.1Feb 3, 2026
• CVE-2026-0548Tutor LMS – eLearning and online course solution <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion5.4Jan 20, 2026
• CVE-2025-13934Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Course Enrollment Bypass4.3Jan 9, 2026
• CVE-2025-13935Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Course Completion4.3Jan 9, 2026
• CVE-2025-13628Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon Modification4.3Jan 9, 2026
• CVE-2025-13679Tutor LMS <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via tutor_order_details6.5Jan 8, 2026