Skip to main content

Tutor LMS CVE-2026-13443

| EUVDEUVD-2026-40893 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-01 Wordfence GHSA-78vh-g76h-gmfr
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS requires a victim to load the injected page (UI:R); all other metrics align with the provided vector: low-privilege author account (PR:L), network delivery, scope change into victim browser (S:C), no availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 05:29 vuln.today
CVE Published
Jul 01, 2026 - 03:43 nvd
MEDIUM 6.4

DescriptionCVE.org

The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Lesson Attachment Title in all versions up to, and including, 3.9.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in Tutor LMS (WordPress plugin by Themeum) versions through 3.9.13 allows authenticated attackers holding author-level or higher WordPress roles to inject persistent malicious scripts via the Lesson Attachment Title field. The injected payload is stored in the WordPress database and executes in the browser of any user who subsequently accesses a course page rendering the attachment - achieving a scope change from the plugin's context into the victim's browsing session. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or register WordPress author-level account
Delivery
Create or edit lesson with crafted attachment title containing XSS payload
Exploit
Payload persists in WordPress database unsanitized
Execution
Victim navigates to lesson page with injected attachment
Persist
Browser renders unescaped title and executes script
Impact
Attacker steals session token or performs actions as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires a WordPress user account with at minimum author-level role, specifically one that has permission to create or edit lessons and upload attachments within the Tutor LMS plugin. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 6.4 (Medium) reflects a network-delivered, low-complexity attack requiring only low privilege (author role) with a scope change that grants limited confidentiality and integrity impact against victims. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises an author-level WordPress account on a site running Tutor LMS 3.9.13 or earlier, then creates or edits a lesson and names an attachment with a crafted title such as a script injection payload. The payload is saved to the WordPress database without sanitization. …
Remediation The primary fix is to update the Tutor LMS plugin beyond version 3.9.13 - a patch has been committed to the WordPress plugin SVN repository (changeset 3590029: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3590029%40tutor&new=3590029%40tutor), though the exact released version number containing this fix is not independently confirmed from the provided data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-13443 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy