Sensitive Information Exposure in Tutor LMS Plugin for WordPress
CVE-2026-1371

5.3MEDIUM

Key Information:

Vendor

WordPress
Status
Tutor Lms – Elearning And Online Course Solution
Vendor
CVE Published:
3 February 2026

What is CVE-2026-1371?

The Tutor LMS plugin for WordPress, an eLearning and online course solution, is affected by a vulnerability due to inadequate authorization checks in the ajax_coupon_details() function. This oversight allows authenticated users with Subscriber-level access and higher to exploit the vulnerability, potentially accessing sensitive coupon information. This includes critical details such as coupon codes, discount amounts, usage statistics, and applicable courses or bundles. Users should update to version 3.9.6 or later to mitigate this risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Tutor LMS – eLearning and online course solution * <= 3.9.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9...
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9...

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Supakiad S.
JSON
.