CVE-2026-12275

Themeum · Tutor LMS

The Tutor LMS WordPress plugin fails to enforce capability checks in its page-builder integrations, allowing unauthorized access to restricted course content.

Executive summary

A vulnerability in the Tutor LMS WordPress plugin allows authenticated users to bypass critical access controls, potentially exposing private or paid course content.

Vulnerability

The plugin fails to perform necessary enrollment and purchase capability checks within its Droip and Kirki page-builder integrations. This allows authenticated users with subscriber-level access to bypass security restrictions and access private or paid course materials.

Business impact

With a CVSS score of 7.1, this vulnerability poses a significant risk to the business model of organizations relying on paid course content. Unauthorized access could lead to loss of revenue, intellectual property theft, and reputational damage. The ability of low-privileged users to bypass these checks undermines the integrity of the platform's access control system.

Remediation

Immediate Action: Update the Tutor LMS WordPress plugin to version 3.9.13 or later immediately.

Proactive Monitoring: Monitor site traffic for unusual access patterns to paid or private course pages by subscriber-level accounts.

Compensating Controls: Use a Web Application Firewall (WAF) to inspect requests for unauthorized attempts to access protected course resources.

Exploitation status

Public Exploit Available: Yes (per public PoC availability)

Analyst recommendation

The presence of a proof-of-concept makes this vulnerability an immediate concern. Administrators must verify that all instances of the Tutor LMS plugin are updated to version 3.9.13 or later to prevent unauthorized access to restricted course content.