Stored Cross-site Scripting Vulnerability in Themeum Plugin for Learning Management Systems
CVE-2025-63042

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Tutor Lms Elementor Addons
Vendor: CVE Published:; 9 December 2025

What is CVE-2025-63042?

A security vulnerability has been identified in the Tutor LMS Elementor Addons developed by Themeum. This issue arises from improper neutralization of user input during web page generation, allowing for Stored Cross-site Scripting (XSS). An attacker might exploit this vulnerability by injecting malicious scripts into web pages viewed by other users. This can lead to unauthorized access to sensitive information or execution of harmful actions on behalf of the users. The affected versions of the plugin include all versions up to and including 3.0.1. Website administrators are strongly advised to update the plugin to the latest version to mitigate the risks associated with this vulnerability.

Affected Version(s)

Tutor LMS Elementor Addons <= n/a

References

https://vdp.patchstack.com/database/Wordpress/Plugin/tuto...

vdb-entry

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 9, 2025
Vulnerability Reserved
Oct 24, 2025

Credit

Mdr | Patchstack Bug Bounty Program

JSON