WordPress Plugin Vulnerabilities

Tutor LMS – eLearning and online course solution < 3.9.8 - Missing Authorization

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.9.7. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
tutor
Fixed in 3.9.8

References

CVE
CVE-2026-40743
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e4482f92-024d-402d-9cf3-c4709f23baf0

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
lagi bljr
Verified
No
WPVDB ID
389459e2-3875-4738-b1d7-9f9246f91003

Timeline

Publicly Published
2026-04-20 (about 23 days ago)
Added
2026-04-30 (about 13 days ago)
Last Updated
2026-04-30 (about 13 days ago)

Other

Published
Title
Published
2024-04-25
Title
Barcode Scanner with Inventory & Order Manager < 1.5.4 - Missing Authorization
Published
2025-10-16
Title
Construction Light <= 1.6.7 - Missing Authorization
Published
2022-05-13
Title
Files Download Delay < 1.0.7 - Subscriber+ Settings Reset
Published
2024-05-30
Title
Premium Addons for Elementor < 4.10.32 - Missing Authorization to Information Disclosure
Published
2026-03-30
Title
WooPayments < 10.6.0 - Unauthenticated Plugin Settings Update