Skip to main content

Tutor LMS EUVDEUVD-2026-36974

| CVE-2026-40743 MEDIUM
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-8mgw-v23g-2v44
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable unauthenticated endpoint with no interaction required; limited confidentiality and integrity impact consistent with LMS data access/modification, no availability or scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 23:09 vuln.today

DescriptionCVE.org

Unauthenticated Broken Access Control in Tutor LMS <= 3.9.7 versions.

AnalysisAI

Broken access control in Tutor LMS WordPress plugin versions up to and including 3.9.7 permits unauthenticated remote attackers to bypass authorization checks and access or modify restricted LMS resources. The flaw, classified as CWE-862 (Missing Authorization), stems from the plugin failing to enforce appropriate permission checks before executing sensitive operations. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, though the unauthenticated attack vector and low complexity make this straightforward to exploit opportunistically.

Technical ContextAI

Tutor LMS (CPE: cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:*:*:*) is a feature-rich Learning Management System plugin developed by Themeum for WordPress. The vulnerability is rooted in CWE-862 - Missing Authorization - which occurs when the application fails to verify that a requesting user has the right to access or perform an action on a given resource. In WordPress plugin context, this typically manifests as REST API endpoints, AJAX handlers (admin-ajax.php), or action hooks that omit capability checks such as current_user_can() or nonce/permission validation before serving or modifying data. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms the operation is reachable over the network with no authentication and no special configuration, consistent with an exposed WordPress endpoint lacking server-side authorization enforcement.

RemediationAI

Update the Tutor LMS plugin immediately to a version beyond 3.9.7 via the WordPress plugin dashboard or by downloading from the official WordPress plugin repository. An exact confirmed fix version was not independently specified in the available data - the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-9-7-broken-access-control-vulnerability-2 should be consulted to confirm the patched release. If immediate upgrade is not feasible, consider temporarily deactivating the plugin to eliminate the attack surface, accepting the trade-off of losing LMS functionality. A Web Application Firewall (WAF) rule targeting unauthorized access to the affected endpoint - details of which should be obtained from the Patchstack advisory - can serve as a compensating control, though WAF bypass is possible and should not substitute patching. Restrict access to the WordPress site's REST API or admin-ajax.php to authenticated users where operationally acceptable.

CVE-2024-1751 HIGH POC
8.8 Mar 13

The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via

CVE-2024-4351 HIGH
8.8 May 16

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data

CVE-2024-4352 HIGH
8.8 May 16

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data

CVE-2021-24184 HIGH POC
8.8 Apr 05

Several AJAX endpoints in the Tutor LMS - eLearning and online course solution WordPress plugin before 1.7.7 were unprot

CVE-2024-10400 HIGH POC
7.5 Nov 21

The Tutor LMS plugin for WordPress is vulnerable to SQL Injection via the ‘rating_filter’ parameter in all versions up t

CVE-2023-3133 HIGH POC
7.5 Jul 04

The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowi

CVE-2026-12275 HIGH POC
7.1 Jul 13

Broken authorization in the Tutor LMS WordPress plugin (before 3.9.13) lets authenticated subscriber-level users bypass

CVE-2026-12274 MEDIUM POC
6.5 Jul 13

Broken object-level authorization in the Tutor LMS WordPress plugin before 3.9.13 allows any authenticated instructor-le

CVE-2021-24186 MEDIUM POC
6.5 Apr 05

The tutor_answering_quiz_question/get_answer_by_id function pair from the Tutor LMS - eLearning and online course soluti

CVE-2021-24185 MEDIUM POC
6.5 Apr 05

The tutor_place_rating AJAX action from the Tutor LMS - eLearning and online course solution WordPress plugin before 1.7

CVE-2021-24183 MEDIUM POC
6.5 Apr 05

The tutor_quiz_builder_get_question_form AJAX action from the Tutor LMS - eLearning and online course solution WordPress

CVE-2021-24182 MEDIUM POC
6.5 Apr 05

The tutor_quiz_builder_get_answers_by_question AJAX action from the Tutor LMS - eLearning and online course solution Wor

Share

EUVD-2026-36974 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy