Unauthorized Access Vulnerability in Tutor LMS Plugin by WordPress
CVE-2026-12275
Currently unrated
Key Information:
Badges
๐พ Exploit Exists๐ก Public PoC
What is CVE-2026-12275?
The Tutor LMS WordPress plugin prior to version 3.9.13 is vulnerable due to insufficient access control measures in its Droip and Kirki page-builder integrations. This vulnerability allows authenticated users with only subscriber-level access to enroll in paid or private courses without proper authorization. Additionally, these users can read private course content and mark arbitrary courses as completed, posing a significant risk to site owners who rely on this plugin for managing educational content.
Affected Version(s)
Tutor LMS 0 < 3.9.13
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.