Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Stored XSS requires a victim to load the injected page (UI:R); all other metrics align with the provided vector: low-privilege author account (PR:L), network delivery, scope change into victim browser (S:C), no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Lesson Attachment Title in all versions up to, and including, 3.9.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in Tutor LMS (WordPress plugin by Themeum) versions through 3.9.13 allows authenticated attackers holding author-level or higher WordPress roles to inject persistent malicious scripts via the Lesson Attachment Title field. The injected payload is stored in the WordPress database and executes in the browser of any user who subsequently accesses a course page rendering the attachment - achieving a scope change from the plugin's context into the victim's browsing session. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a WordPress user account with at minimum author-level role, specifically one that has permission to create or edit lessons and upload attachments within the Tutor LMS plugin. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 6.4 (Medium) reflects a network-delivered, low-complexity attack requiring only low privilege (author role) with a scope change that grants limited confidentiality and integrity impact against victims. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises an author-level WordPress account on a site running Tutor LMS 3.9.13 or earlier, then creates or edits a lesson and names an attachment with a crafted title such as a script injection payload. The payload is saved to the WordPress database without sanitization. … |
| Remediation | The primary fix is to update the Tutor LMS plugin beyond version 3.9.13 - a patch has been committed to the WordPress plugin SVN repository (changeset 3590029: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3590029%40tutor&new=3590029%40tutor), though the exact released version number containing this fix is not independently confirmed from the provided data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
{id} - complicates both detection and opportunistic exploitation, as the attacker cannot independently fire the injected
SQL injection in Tutor LMS (WordPress plugin by Themeum) exposes the underlying database to read-access by any authentic
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40893
GHSA-78vh-g76h-gmfr