Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons.
Published: 2026-01-09
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Coupon Tampering by Authenticated Subscriber
Action: Patch plugin
AI Analysis

Impact

The vulnerability lies in the absence of a capability check in the bulk_action_handler and coupon_permanent_delete functions of the Tutor LMS plugin. As a result, any authenticated user with subscriber level access or higher can delete, activate, deactivate, or trash arbitrary coupons. This represents a missing access control flaw (CWE‑862) that allows unauthorized modification of coupon data, potentially disrupting pricing structures and revenue streams.

Affected Systems

All installations of the Tutor LMS – eLearning and online course solution plugin from themeum that are running version 3.9.3 or earlier. The plugin is a WordPress extension and any site that includes it is vulnerable until an update is applied.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate risk, but the EPSS score of less than 1% shows that the exploitation probability is currently very low. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to be authenticated with at least subscriber level access, meaning that anyone holding such an account on a vulnerable site could exploit the flaw. Because the flaw only allows coupon manipulation and does not grant code execution or privilege escalation, the impact is limited to the integrity of coupon data.

Generated by OpenCVE AI on April 21, 2026 at 16:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest version of Tutor LMS (3.9.4 or newer) to apply the missing capability checks.
  • If an upgrade cannot be performed immediately, restrict subscriber‑level access to coupon management by using a firewall rule or plugin that blocks the bulk_action_handler and coupon_permanent_delete URLs for non‑admin users.
  • Modify the plugin’s functions or add a custom code snippet to enforce a capability check (for example, current_user_can('manage_woocommerce')) before performing coupon modifications.

Generated by OpenCVE AI on April 21, 2026 at 16:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Themeum
Themeum tutor Lms
Wordpress
Wordpress wordpress
Vendors & Products Themeum
Themeum tutor Lms
Wordpress
Wordpress wordpress

Fri, 09 Jan 2026 07:30:00 +0000

Type Values Removed Values Added
Description The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons.
Title Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Themeum Tutor Lms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:49:55.422Z

Reserved: 2025-11-24T21:38:45.491Z

Link: CVE-2025-13628

cve-icon Vulnrichment

Updated: 2026-01-09T19:11:23.937Z

cve-icon NVD

Status : Deferred

Published: 2026-01-09T08:15:56.660

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13628

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T16:45:15Z

Weaknesses