CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-6184 – Tutor LMS Pro – eLearning and online course solution <= 3.7.0 - Authenticated (Tutor Instructor+) SQL Injection
https://notcve.org/view.php?id=CVE-2025-6184
12 Aug 2025 — The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter used in the get_submitted_assignments() function in all versions up to, and including, 3.7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Tutor-level access and above, to append additional SQL queries into already existing queries t... • https://tutorlms.com • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5831 – Droip <= 2.2.0 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-5831
24 Jul 2025 — The Droip plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the make_google_font_offline() function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. El complemento Droip para WordPress es vulnerable a la carga de archivos arbitrarios debido a la falta de validación del t... • https://droip.com • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5835 – Droip <= 2.2.0 - Missing Authorization to Authenticated (Subscriber+) Many Actions
https://notcve.org/view.php?id=CVE-2025-5835
24 Jul 2025 — The Droip plugin for WordPress is vulnerable to unauthorized modification and access of data due to a missing capability check on the droip_post_apis() function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform many actions as the AJAX hooks to several functions. Some potential impacts include arbitrary post deletion, arbitrary post creation, post duplication, settings update, user manipulation, and much more. ... • https://droip.com • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1508 – WP Crowdfunding <= 2.1.13 - Missing Authorization to Authenticated (Subscriber+) Post Content Download
https://notcve.org/view.php?id=CVE-2025-1508
11 Mar 2025 — The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_data action in all versions up to, and including, 2.1.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to download all of a site's post content when WooCommerce is installed. The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the download_data action in all... • https://wordpress.org/plugins/wp-crowdfunding • CWE-862: Missing Authorization •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13228 – Qubely – Advanced Gutenberg Blocks <= 1.8.13 - Authenticated (Contributor+) Sensitive Information Exposure via qubely_get_content
https://notcve.org/view.php?id=CVE-2024-13228
10 Mar 2025 — The Qubely – Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.13 via the 'qubely_get_content'. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, scheduled, password-protected, draft, and trashed post data. • https://plugins.trac.wordpress.org/browser/qubely/trunk/core/QUBELY.php#L1172 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26767 – WordPress Qubely – Advanced Gutenberg Blocks plugin <= 1.8.12 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-26767
16 Feb 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Qubely – Advanced Gutenberg Blocks allows Stored XSS. This issue affects Qubely – Advanced Gutenberg Blocks: from n/a through 1.8.12. • https://patchstack.com/database/wordpress/plugin/qubely/vulnerability/wordpress-qubely-advanced-gutenberg-blocks-plugin-1-8-12-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9601 – Qubely – Advanced Gutenberg Blocks <= 1.8.12 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'align' and 'UniqueID'
https://notcve.org/view.php?id=CVE-2024-9601
13 Feb 2025 — The Qubely – Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ and 'UniqueID' parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Qubely – Advanced Gutenberg Blocks plugin for WordPress is vul... • https://plugins.trac.wordpress.org/browser/qubely/trunk/core/blocks/postgrid.php#L1419 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11911 – WP Crowdfunding <= 2.1.12 - Missing Authorization to Authenticated (Subscriber+) WooCommerce Installation
https://notcve.org/view.php?id=CVE-2024-11911
12 Dec 2024 — The WP Crowdfunding plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the install_woocommerce_plugin() function action in all versions up to, and including, 2.1.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install WooCommerce. This has a limited impact on most sites because WooCommerce is a requirement. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3206336%40wp-crowdfunding%2Ftrunk&old=3174230%40wp-crowdfunding%2Ftrunk&sfp_email=&sfph_mail= • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11910 – WP Crowdfunding <= 2.1.12 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-11910
12 Dec 2024 — The WP Crowdfunding plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the wp-crowdfunding/search block in all versions up to, and including, 2.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The WP Crowdfunding plugin for WordPress is vulnerable to Stored Cross-Site Scripting via... • https://plugins.trac.wordpress.org/browser/wp-crowdfunding/trunk/includes/blocks/Search.php#L70 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10393 – Tutor LMS <= 2.7.6 - User Registration Setting Bypass to Unauthorized User Registration
https://notcve.org/view.php?id=CVE-2024-10393
20 Nov 2024 — The Tutor LMS plugin for WordPress is vulnerable to bypass to user registration in versions up to, and including, 2.7.6. This is due to a missing check for the 'users_can_register' option in the 'register_instructor' function. This makes it possible for unauthenticated attackers to register as the default role on the site, even if registration is disabled. • https://www.wordfence.com/threat-intel/vulnerabilities/id/bf8aa169-df51-46db-8c65-f1543d4f75f9?source=cve • CWE-284: Improper Access Control •