Skip to main content

Tutor LMS CVE-2026-12275

| EUVDEUVD-2026-43290 HIGH
2026-07-13 WPScan GHSA-99wj-j8x8-6wwx
7.1
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
5.4 MEDIUM

Network, low-complexity abuse by an authenticated subscriber (PR:L); confidentiality rated L as the exposed asset is course content not credentials, integrity L for unauthorized enroll/complete, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

5
CVE Published
Jul 13, 2026 - 19:20 cve.org
HIGH 7.1
Analysis Generated
Jul 13, 2026 - 19:11 vuln.today
CVSS changed
Jul 13, 2026 - 19:07 NVD
7.1 (HIGH)
Patch available
Jul 13, 2026 - 08:01 EUVD
CVE Published
Jul 13, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The Tutor LMS WordPress plugin before 3.9.13 does not, in its Droip and Kirki page-builder integration, perform the enrollment, purchase, and private-course capability checks it enforces in its core course handler, allowing authenticated users with subscriber-level access to enroll in paid or private courses without authorization, read private course content, and mark arbitrary courses as completed, on sites where the Droip or Kirki integration is active.

AnalysisAI

Broken authorization in the Tutor LMS WordPress plugin (before 3.9.13) lets authenticated subscriber-level users bypass paid/private-course access controls when the Droip or Kirki page-builder integration is active. Because these integration handlers omit the enrollment, purchase, and private-course capability checks enforced in the core course handler, low-privileged accounts can self-enroll in paid or private courses, read otherwise-restricted content, and mark arbitrary courses complete. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register/obtain subscriber account
Delivery
Reach Droip/Kirki integration course endpoint
Exploit
Invoke action bypassing capability check
Execution
Enroll in paid/private course
Impact
Read content and mark completed

Vulnerability AssessmentAI

Exploitation Requires an authenticated account at subscriber level or above (CVSS PR:L), reachable over the network with no user interaction (AV:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N, 7.1 High) indicates a network-reachable, low-complexity attack needing only low privileges and no user interaction - consistent with a logged-in subscriber abusing a WordPress site that allows open registration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account (or uses any existing low-privileged login) on a WordPress site running vulnerable Tutor LMS with the Droip or Kirki integration enabled. Using the publicly documented WPScan technique, they invoke the integration's course actions to enroll in a paid course without payment, read the private course content, and mark it as completed - obtaining paid material and completion status for free, over the network and with no user interaction.
Remediation Upgrade Tutor LMS to version 3.9.13 or later, which restores the enrollment, purchase, and private-course capability checks in the Droip and Kirki integration paths (Vendor-released patch: 3.9.13). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-1751 HIGH POC
8.8 Mar 13

The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via

CVE-2024-4351 HIGH
8.8 May 16

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data

CVE-2024-4352 HIGH
8.8 May 16

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data

CVE-2021-24184 HIGH POC
8.8 Apr 05

Several AJAX endpoints in the Tutor LMS - eLearning and online course solution WordPress plugin before 1.7.7 were unprot

CVE-2024-10400 HIGH POC
7.5 Nov 21

The Tutor LMS plugin for WordPress is vulnerable to SQL Injection via the ‘rating_filter’ parameter in all versions up t

CVE-2023-3133 HIGH POC
7.5 Jul 04

The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowi

CVE-2026-12274 MEDIUM POC
6.5 Jul 13

Broken object-level authorization in the Tutor LMS WordPress plugin before 3.9.13 allows any authenticated instructor-le

CVE-2021-24186 MEDIUM POC
6.5 Apr 05

The tutor_answering_quiz_question/get_answer_by_id function pair from the Tutor LMS - eLearning and online course soluti

CVE-2021-24185 MEDIUM POC
6.5 Apr 05

The tutor_place_rating AJAX action from the Tutor LMS - eLearning and online course solution WordPress plugin before 1.7

CVE-2021-24183 MEDIUM POC
6.5 Apr 05

The tutor_quiz_builder_get_question_form AJAX action from the Tutor LMS - eLearning and online course solution WordPress

CVE-2021-24182 MEDIUM POC
6.5 Apr 05

The tutor_quiz_builder_get_answers_by_question AJAX action from the Tutor LMS - eLearning and online course solution Wor

CVE-2021-24181 MEDIUM POC
6.5 Apr 05

The tutor_mark_answer_as_correct AJAX action from the Tutor LMS - eLearning and online course solution WordPress plugin

Share

CVE-2026-12275 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy