WP-Safety

Experience API for TutorLMS by GrassBlade Security & Risk Analysis

wordpress.org/plugins/grassblade-xapi-tutorlms

Experience API for TutorLMS plugin adds xAPI, SCORM, and cmi5 support to Tutor LMS by integrating with the GrassBlade xAPI Companion plugin.

200 active installs v2.8 PHP 5.6+ WP 4.0+ Updated Mar 5, 2026
grassbladereportsscormtutor-lmsxapi
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Experience API for TutorLMS by GrassBlade Safe to Use in 2026?

Generally Safe

Score 100/100

Experience API for TutorLMS by GrassBlade has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 29d ago
Risk Assessment

The "grassblade-xapi-tutorlms" v2.8 plugin exhibits a mixed security posture. On the positive side, it has no recorded vulnerabilities (CVEs) and a limited number of entry points. The majority of its SQL queries utilize prepared statements, and it does not engage in external HTTP requests or file operations. However, significant concerns arise from the static analysis. A notable risk is the presence of an unprotected AJAX handler, which could be exploited by unauthenticated users to perform unintended actions.

Further, the plugin uses the `unserialize` function, which is inherently dangerous if the input is not strictly controlled and sanitized, potentially leading to remote code execution. The low percentage of properly escaped output (34%) also suggests a risk of cross-site scripting (XSS) vulnerabilities, where malicious scripts could be injected into the plugin's output. While the vulnerability history is clean, this is often a lagging indicator. The combination of these code-level risks, particularly the unprotected AJAX handler and the use of `unserialize`, overshadows the otherwise positive aspects, suggesting a moderate to high risk level that requires attention.

In conclusion, while the absence of known vulnerabilities and a relatively small attack surface are strengths, the identified code-level weaknesses, specifically the unprotected AJAX endpoint, the use of `unserialize`, and insufficient output escaping, present tangible security risks. These issues indicate that the plugin is not as robustly secured as it could be, and immediate attention should be given to rectifying these specific coding practices to mitigate potential exploits.

Key Concerns

  • Unprotected AJAX handler
  • Use of dangerous unserialize function
  • Low percentage of properly escaped output
  • Limited nonce checks
  • Limited capability checks
Vulnerabilities
None known

Experience API for TutorLMS by GrassBlade Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Experience API for TutorLMS by GrassBlade Code Analysis

Dangerous Functions
1
Raw SQL Queries
4
13 prepared
Unescaped Output
33
17 escaped
Nonce Checks
3
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$settings_data = unserialize($settings->meta_value);reports_progress_snapshot_report\functions.php:53

SQL Query Safety

76% prepared17 total queries

Output Escaping

34% escaped50 total outputs
Attack Surface
1 unprotected

Experience API for TutorLMS by GrassBlade Attack Surface

Entry Points4
Unprotected1

AJAX Handlers 4

authwp_ajax_tutor_update_xapi_content_detailscourse_builder\custom-fields.depricated.lt-v3.3.0.php:14
authwp_ajax_tutor_get_xapi_content_detailscourse_builder\custom-fields.depricated.lt-v3.3.0.php:15
authwp_ajax_gbtutor_get_completion_tracking_statuscourse_builder\custom-fields.php:17
authwp_ajax_tutor_quiz_abandonfunctions.php:93
WordPress Hooks 41
actiontutor_course_builder_footercourse_builder\custom-fields.depricated.lt-v3.3.0.php:10
filtertutor_course_details_responsecourse_builder\custom-fields.depricated.lt-v3.3.0.php:11
filtertutor_lesson_details_responsecourse_builder\custom-fields.depricated.lt-v3.3.0.php:12
filtertutor_quiz_details_responsecourse_builder\custom-fields.depricated.lt-v3.3.0.php:13
actiontutor_before_course_builder_loadcourse_builder\custom-fields.depricated.lt-v3.3.0.php:16
actiontutor_quiz/single/before/topcourse_builder\custom-fields.depricated.lt-v3.3.0.php:17
actionsave_post_coursescourse_builder\custom-fields.php:11
actionsave_post_lessoncourse_builder\custom-fields.php:12
actionsave_post_tutor_quizcourse_builder\custom-fields.php:13
filtertutor_lesson_details_responsecourse_builder\custom-fields.php:14
filtertutor_quiz_details_responsecourse_builder\custom-fields.php:15
filtertutor_course_details_responsecourse_builder\custom-fields.php:16
actiontutor_course_builder_footercourse_builder\custom-fields.php:18
actionadmin_menufunctions.php:38
actionplugins_loadedfunctions.php:39
actionadmin_noticesfunctions.php:58
actiontutor_lesson_edit_modal_form_afterfunctions.php:68
actiontutor_quiz_edit_modal_settings_tab_afterfunctions.php:69
actiontutor/lesson/createdfunctions.php:71
actiontutor/lesson_update/afterfunctions.php:72
actiontutor_quiz_settings_updatedfunctions.php:73
filtergrassblade_add_to_content_postfunctions.php:75
actiontutor_quiz/body/beforefunctions.php:76
actiongrassblade_completedfunctions.php:78
actiongrassblade_course_startedfunctions.php:79
actiontutor_course_complete_afterfunctions.php:80
actiontutor_quiz_finishedfunctions.php:81
actiontutor_quiz/attempt_endedfunctions.php:82
actiontutor_mark_lesson_complete_afterfunctions.php:83
actiontutor_after_enrolledfunctions.php:85
actiontutor/course/enrol_status_change/afterfunctions.php:86
filtergrassblade_lms_mark_complete_button_idfunctions.php:88
filtergrassblade_lms_next_linkfunctions.php:90
actiontutor_lesson/single/after/complete_formfunctions.php:91
actiontutor_quiz/body/afterfunctions.php:92
actiontutor/lesson_list/right_icon_areafunctions.php:94
filtergrassblade_get_coursesfunctions.php:97
filtergrassblade_get_course_content_idsfunctions.php:98
filtergrassblade_get_coursefunctions.php:99
filtergrassblade/reports/progress_snapshot/datareports_progress_snapshot_report\functions.php:6
filtergrassblade/reports/progress_snapshot/detailsreports_progress_snapshot_report\functions.php:7
Maintenance & Trust

Experience API for TutorLMS by GrassBlade Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedMar 5, 2026
PHP min version5.6
Downloads7K

Community Trust

Rating0/100
Number of ratings0
Active installs200
Alternatives

Experience API for TutorLMS by GrassBlade Alternatives

Experience API for LearnPress by GrassBlade

Experience API for LearnPress by GrassBlade

grassblade-xapi-learnpress

A
100

This plugin enables the Experience API (xAPI / Tin Can), cmi5 , SCORM 1.2, SCORM 2004 and SCORM Dispatch on the LearnPress LMS by integrating with Gra …

200 No CVEs
Experience API for LifterLMS by Grassblade

Experience API for LifterLMS by Grassblade

grassblade-xapi-lifterlms

A
100

This plugin enables the Experience API (xAPI / Tin Can) , SCORM 1.2 and SCORM 2004 support on the LifterLMS by integrating with GrassBlade xAPI Compan …

100 No CVEs
Experience API for WP Courseware by Grassblade

Experience API for WP Courseware by Grassblade

grassblade-xapi-wp-courseware

A
100

This plugin enables the Experience API (xAPI / Tin Can), cmi5, SCORM 1.2 and SCORM 2004 support on the WP Courseware LMS by integrating with GrassBlad …

50 No CVEs
Experience API for MasterStudy by GrassBlade

Experience API for MasterStudy by GrassBlade

grassblade-xapi-masterstudy

A
100

This plugin enables the Experience API (xAPI / Tin Can) , SCORM 1.2, SCORM 2004 cmi5 standard content support on the MasterStudy LMS by integrating wi …

30 No CVEs
Experience API for Sensei LMS by GrassBlade

Experience API for Sensei LMS by GrassBlade

grassblade-xapi-sensei

A
100

This plugin enables the Experience API (xAPI / Tin Can) , SCORM 1.2 and SCORM 2004 support on the Sensei LMS by integrating with GrassBlade xAPI Compa …

20 No CVEs
Developer Profile

Experience API for TutorLMS by GrassBlade Developer Profile

Pankaj Agrawal

21 plugins · 5K total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Experience API for TutorLMS by GrassBlade

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/grassblade-xapi-tutorlms/course_builder/custom-fields.depricated.lt-v3.3.0.php/wp-content/plugins/grassblade-xapi-tutorlms/course_builder/custom-fields.php/wp-content/plugins/grassblade-xapi-tutorlms/reports_progress_snapshot_report/functions.php/wp-content/plugins/grassblade-xapi-tutorlms/elements/menu_page.php
Version Parameters
grassblade-xapi-tutorlms/style.css?ver=grassblade-xapi-tutorlms/js/custom.js?ver=

HTML / DOM Fingerprints

CSS Classes
gb-tutor-lms-settings-wrapgb-tutor-lms-menu-sectiongrassblade-xapi-content-sectiongb-tutor-lms-add-new-wrap
HTML Comments
<!-- Experience API for Tutor LMS Settings --><!-- End Experience API for Tutor LMS Settings --><!-- gb_tutor_lms_menu_page_content --><!-- End gb_tutor_lms_menu_page_content -->+4 more
Data Attributes
data-plugin-path="grassblade-xapi-tutorlms"data-plugin-name="GrassBlade xAPI TutorLMS"
JS Globals
grassblade_tutor_activate_plugingrassblade_tutor_data
FAQ

Frequently Asked Questions about Experience API for TutorLMS by GrassBlade