CVE-2026-1371Sensitive Information Exposure in Tutor LMS Elearning AND Online Course Solution

CWE-200Sensitive Information Exposure4 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
0.0%
top 86.85%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Themeum Tutor LMS Elearning AND Online Course Solution
Timeline
PublishedFeb 3

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces but does not verify user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive coupon information including coupon codes, discount amounts, usage

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages1 packages

🔴Vulnerability Details

2
CVEList
Tutor LMS <= 3.9.5 - Authenticated (Subscriber+) Information Disclosure in Coupon Details via 'tutor_coupon_details' AJAX Action2026-02-03
GHSA
GHSA-v95c-5m39-5qg2: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and i2026-02-03

🕵️Threat Intelligence

1
Wiz
CVE-2026-1371 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-1371 — Sensitive Information Exposure | cvebase