Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with Subscriber-level access or above to enroll in private courses by sending a crafted POST request with the target course ID. The enrollment record is created in the database and the private course title and enrollment status are exposed in the subscriber's dashboard, though WordPress core access control prevents the subscriber from viewing the actual course content (returns 404). Enrollment in private courses should be restricted to users with the `read_private_posts` capability.
Published: 2026-04-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Private Course Enrollment
Action: Apply Patch
AI Analysis

Impact

The Tutor LMS plugin for WordPress contains a flaw that permits any authenticated user with Subscriber or higher role to enroll in courses marked as private. The enroll_now() and course_enrollment() functions validate the nonce, authentication, and whether the course is purchasable, but omit a check for the course’s private post_status. Consequently, a crafted POST request with the target course ID creates an enrollment record in the database, and the subscriber can view the private course title and enrollment status in their dashboard. Although WordPress core blocks access to the actual content, the exposed metadata reveals private course existence, leading to privacy leakage.

Affected Systems

All WordPress sites that use the Tutor LMS plugin version 3.9.7 or earlier are affected. The plugin is distributed by themeum and is commonly installed on eLearning WordPress sites. Sites that have not upgraded beyond 3.9.7 retain the vulnerability and may unintentionally allow subscriber‑level users to enroll in private courses.

Risk and Exploitability

The CVSS score of 5.4 indicates medium severity. Any authenticated user can exploit the flaw by sending a simple POST request to the enrollment endpoint, requiring only basic knowledge of HTTP methods and the target course ID. No elevated privileges or complex exploits are necessary. The absence of an EPSS score and the lack of inclusion in the CISA KEV catalog suggest that exploitation is not yet widespread, but the easy accessibility of the vulnerability demands prompt remediation.

Generated by OpenCVE AI on April 11, 2026 at 02:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tutor LMS to version 3.9.8 or later, which restores private post_status validation on enrollment endpoints.
  • If an immediate upgrade is not feasible, add a custom code snippet to your theme’s functions.php or a site‑specific plugin that hooks into the enrollment process and aborts enrollment requests for users lacking the read_private_posts capability.
  • Verify that private courses no longer appear in subscriber dashboards after the upgrade or custom restriction, and monitor for unauthorized enrollment attempts.

Generated by OpenCVE AI on April 11, 2026 at 02:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Themeum
Themeum tutor Lms – Elearning And Online Course Solution
Wordpress
Wordpress wordpress
Vendors & Products Themeum
Themeum tutor Lms – Elearning And Online Course Solution
Wordpress
Wordpress wordpress

Sat, 11 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
Description The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with Subscriber-level access or above to enroll in private courses by sending a crafted POST request with the target course ID. The enrollment record is created in the database and the private course title and enrollment status are exposed in the subscriber's dashboard, though WordPress core access control prevents the subscriber from viewing the actual course content (returns 404). Enrollment in private courses should be restricted to users with the `read_private_posts` capability.
Title Tutor LMS <= 3.9.7 - Missing Authorization to Authenticated (Subscriber+) Unauthorized Private Course Enrollment
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Themeum Tutor Lms – Elearning And Online Course Solution
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-13T15:15:08.860Z

Reserved: 2026-02-27T18:34:05.013Z

Link: CVE-2026-3358

cve-icon Vulnrichment

Updated: 2026-04-13T15:11:43.078Z

cve-icon NVD

Status : Deferred

Published: 2026-04-11T02:16:01.770

Modified: 2026-04-24T18:00:32.033

Link: CVE-2026-3358

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:56:47Z

Weaknesses