Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Network-reachable unauthenticated endpoint with no interaction required; limited confidentiality and integrity impact consistent with LMS data access/modification, no availability or scope change.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Broken Access Control in Tutor LMS <= 3.9.7 versions.
AnalysisAI
Broken access control in Tutor LMS WordPress plugin versions up to and including 3.9.7 permits unauthenticated remote attackers to bypass authorization checks and access or modify restricted LMS resources. The flaw, classified as CWE-862 (Missing Authorization), stems from the plugin failing to enforce appropriate permission checks before executing sensitive operations. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, though the unauthenticated attack vector and low complexity make this straightforward to exploit opportunistically.
Technical ContextAI
Tutor LMS (CPE: cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:*:*:*) is a feature-rich Learning Management System plugin developed by Themeum for WordPress. The vulnerability is rooted in CWE-862 - Missing Authorization - which occurs when the application fails to verify that a requesting user has the right to access or perform an action on a given resource. In WordPress plugin context, this typically manifests as REST API endpoints, AJAX handlers (admin-ajax.php), or action hooks that omit capability checks such as current_user_can() or nonce/permission validation before serving or modifying data. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms the operation is reachable over the network with no authentication and no special configuration, consistent with an exposed WordPress endpoint lacking server-side authorization enforcement.
RemediationAI
Update the Tutor LMS plugin immediately to a version beyond 3.9.7 via the WordPress plugin dashboard or by downloading from the official WordPress plugin repository. An exact confirmed fix version was not independently specified in the available data - the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-9-7-broken-access-control-vulnerability-2 should be consulted to confirm the patched release. If immediate upgrade is not feasible, consider temporarily deactivating the plugin to eliminate the attack surface, accepting the trade-off of losing LMS functionality. A Web Application Firewall (WAF) rule targeting unauthorized access to the affected endpoint - details of which should be obtained from the Patchstack advisory - can serve as a compensating control, though WAF bypass is possible and should not substitute patching. Restrict access to the WordPress site's REST API or admin-ajax.php to authenticated users where operationally acceptable.
The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data
Several AJAX endpoints in the Tutor LMS - eLearning and online course solution WordPress plugin before 1.7.7 were unprot
The Tutor LMS plugin for WordPress is vulnerable to SQL Injection via the ‘rating_filter’ parameter in all versions up t
The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowi
Broken authorization in the Tutor LMS WordPress plugin (before 3.9.13) lets authenticated subscriber-level users bypass
Broken object-level authorization in the Tutor LMS WordPress plugin before 3.9.13 allows any authenticated instructor-le
The tutor_answering_quiz_question/get_answer_by_id function pair from the Tutor LMS - eLearning and online course soluti
The tutor_place_rating AJAX action from the Tutor LMS - eLearning and online course solution WordPress plugin before 1.7
The tutor_quiz_builder_get_question_form AJAX action from the Tutor LMS - eLearning and online course solution WordPress
The tutor_quiz_builder_get_answers_by_question AJAX action from the Tutor LMS - eLearning and online course solution Wor
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36974
GHSA-8mgw-v23g-2v44