The Tutor LMS WordPress plugin before 3.9.13 has a vulnerability in its Droip and Kirki page-builder integration. This vulnerability allows authenticated users with subscriber-level access to enroll in paid or private courses without authorization, read private course content, and mark arbitrary courses as completed on sites where the Droip or Kirki integration is active.
The Tutor LMS WordPress plugin before version 3.9.13 has a vulnerability that allows authenticated users with subscriber-level access and above to post auto-approved comments containing arbitrary HTML and links on any content across the site, bypassing the comment moderation queue. This vulnerability is considered medium severity and has been publicly disclosed. Users of the Tutor LMS WordPress plugin, es [truncated]