Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.8.3. This makes it possible for authenticated attackers, with tutor-level access and above, to view assignments for courses they don't teach which may contain sensitive information.
Published: 2025-10-25
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Exposure
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an access control flaw that allows an authenticated user with tutor-level permissions or higher to view assignments for courses they are not authorized to teach. This exposes potentially sensitive student data stored in those assignments. The weakness maps to CWE-284. No remote code execution or denial‑of‑service effect is described, so the impact is limited to confidentiality loss.

Affected Systems

All installations of the Tutor LMS – eLearning and online course solution plugin for WordPress up to and including version 3.8.3 are affected. The plugin is available as a free WordPress add‑on and uses a role hierarchy that includes a tutor role.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate risk. The EPSS score of less than 1% suggests a low likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, the attacker must first authenticate and possess a tutor or higher role before the exposure can occur, so the attack vector is post‑authentication. The risk is primarily the accidental or malicious disclosure of assignment content to unintended users.

Generated by OpenCVE AI on April 22, 2026 at 14:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tutor LMS to version 3.8.4 or later, which contains the access control fix
  • Reduce the privileges of the tutor role by limiting its permissions to only the courses it is supposed to manage
  • Enforce server‑side authorization checks for assignment retrieval to ensure only authorized teachers can access assignment data

Generated by OpenCVE AI on April 22, 2026 at 14:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Dec 2025 00:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:themeum:tutor_lms:*:*:*:*:free:wordpress:*:*

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Themeum
Themeum tutor Lms
Wordpress
Wordpress wordpress
Vendors & Products Themeum
Themeum tutor Lms
Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Oct 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.8.3. This makes it possible for authenticated attackers, with tutor-level access and above, to view assignments for courses they don't teach which may contain sensitive information.
Title Tutor LMS <= 3.8.3 - Missing Authorization to Sensitive Information Exposure
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Themeum Tutor Lms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:38:16.474Z

Reserved: 2025-06-25T20:08:13.654Z

Link: CVE-2025-6680

cve-icon Vulnrichment

Updated: 2025-10-27T15:47:18.730Z

cve-icon NVD

Status : Analyzed

Published: 2025-10-25T06:15:36.563

Modified: 2025-12-05T00:23:55.297

Link: CVE-2025-6680

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T14:15:20Z

Weaknesses