WordPress Plugin Vulnerabilities

Tutor LMS < 3.9.8 - Missing Authorization

Description

The Tutor LMS plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 3.9.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
tutor
Fixed in 3.9.8

References

CVE
CVE-2026-40740
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6625dcea-13cc-4c08-9361-946638bf6678

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
3diklab
Verified
No
WPVDB ID
ded45b9e-f850-4b3b-970a-c214d2e26952

Timeline

Publicly Published
2026-03-15 (about 1 month ago)
Added
2026-05-07 (about 6 days ago)
Last Updated
2026-05-07 (about 6 days ago)

Other

Published
Title
Published
2025-03-18
Title
CozyStay < 1.7.1 - Missing Authorization to Arbitrary Action Execution in ajax_handler
Published
2025-02-02
Title
BookPress – For Book Authors <= 1.2.7 - Missing Authorization
Published
2026-04-16
Title
MyRewards < 5.7.4 - Missing Authorization
Published
2025-01-03
Title
Poll Maker < 5.5.7 - Missing Authorization
Published
2025-09-09
Title
Accessibility Checker by Equalize Digital < 1.31.1 - Missing Authorization