WordPress Plugin Vulnerabilities

Tutor LMS < 3.4.1 - Subscriber+ HTML Injection

Description

The plugin is vulnerable to HTML Injection due to the plugin not properly restricting HTML content from subscribers. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject HTML where they should not be authorized to.

Affects Plugins

Plugin icon
tutor
Fixed in 3.4.1

References

CVE
CVE-2025-32230
URL
https://patchstack.com/database/wordpress/plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-4-0-html-injection-vulnerability

Classification

Type
INJECTION
OWASP top 10
A1: Injection
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Revan Arifio
Verified
No
WPVDB ID
9de8dd76-fda1-4674-bc51-fd5d15c53776

Timeline

Publicly Published
2025-04-07 (about 1 year ago)
Added
2025-04-15 (about 1 year ago)
Last Updated
2025-04-15 (about 1 year ago)

Other

Published
Title
Published
2026-04-16
Title
Quiz and Survey Master (QSM) < 11.1.1 - Unauthenticated Shortcode Injection
Published
2020-03-04
Title
Appointment Booking Calendar < 1.3.35 - CSV Injection
Published
2023-10-22
Title
wpDiscuz < 7.6.11 - Unauthenticated Content Injection
Published
2023-10-20
Title
MainWP Dashboard < 4.5.1.3 - Authenticated(Administrator+) CSS Injection
Published
2026-04-21
Title
HTTP Headers <= 1.19.2 - Administrator+ CRLF Injection via Custom Header Values