Unauthorized Access Vulnerability in Tutor LMS Plugin by WordPress
CVE-2026-12275

Currently unrated

Key Information:

Vendor

WordPress

Status
Vendor
CVE Published:
13 July 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-12275?

The Tutor LMS WordPress plugin prior to version 3.9.13 is vulnerable due to insufficient access control measures in its Droip and Kirki page-builder integrations. This vulnerability allows authenticated users with only subscriber-level access to enroll in paid or private courses without proper authorization. Additionally, these users can read private course content and mark arbitrary courses as completed, posing a significant risk to site owners who rely on this plugin for managing educational content.

Affected Version(s)

Tutor LMS 0 < 3.9.13

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dilovar Berdiev
WPScan
.