Description
Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.7.
Published: 2026-04-15
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control
Action: Apply Patch
AI Analysis

Impact

Missing authorization in the Tutor LMS plugin for WordPress allows an attacker to bypass intended access restrictions and read or modify data that should be protected. This flaw arises from incorrectly configured access control security levels, enabling users with insufficient privileges to perform privileged actions. The weakness is classified as CWE‑862, a missing authorization issue.

Affected Systems

The vulnerability affects the Themeum Tutor LMS plugin for WordPress, versions up to and including 3.9.7. Any installation running these versions is susceptible; newer releases are not impacted.

Risk and Exploitability

The CVSS score is not publicly available, and EPSS data is lacking, so a precise risk level cannot be quantified. The plugin operates in a web environment, so the likely attack vector is remote, accessed via HTTP requests to the WordPress site. An attacker who can log in with a limited role or trick a user into visiting specific URLs may exploit the broken access control to obtain unauthorized data or perform administrative actions.

Generated by OpenCVE AI on April 15, 2026 at 11:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Tutor LMS plugin to version 3.9.8 or later.
  • If an upgrade is not immediately possible, restrict the plugin’s functionality to trusted roles by adjusting WordPress user permissions or employ a role‑management plugin to block unauthorized access.
  • Review access logs for unusual activity and monitor users who gain elevated privileges outside of normal patterns.

Generated by OpenCVE AI on April 15, 2026 at 11:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Themeum
Themeum tutor Lms
Wordpress
Wordpress wordpress
Vendors & Products Themeum
Themeum tutor Lms
Wordpress
Wordpress wordpress

Wed, 15 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.7.
Title WordPress Tutor LMS plugin <= 3.9.7 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Themeum Tutor Lms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-15T10:21:34.311Z

Reserved: 2026-04-15T09:19:38.194Z

Link: CVE-2026-40740

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-15T11:16:36.177

Modified: 2026-04-15T11:16:36.177

Link: CVE-2026-40740

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T13:44:58Z

Weaknesses