Description
Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.7.
Published: 2026-04-15
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control
Action: Apply Patch
AI Analysis

Impact

Missing authorization in the Tutor LMS plugin for WordPress allows an attacker to bypass intended access restrictions and read or modify data that should be protected. The flaw arises from incorrectly configured access control security levels, enabling users with insufficient privileges to perform privileged actions. The weakness is classified as CWE-862, a missing authorization issue.

Affected Systems

The vulnerability affects the Themeum Tutor LMS plugin for WordPress, versions up to and including 3.9.7. Any installation running these versions is susceptible; newer releases are not impacted.

Risk and Exploitability

The assessment indicates medium severity and a low likelihood of exploitation. The plugin operates in a web environment, so the likely attack vector is remote, accessed via HTTP requests to the WordPress site. An attacker who can log in with a limited role or trick a user into visiting specific URLs may exploit the broken access control to obtain unauthorized data or perform administrative actions.

Generated by OpenCVE AI on April 17, 2026 at 08:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Tutor LMS plugin to version 3.9.8 or later.
  • If an upgrade is not immediately possible, restrict the plugin’s functionality to trusted roles by adjusting WordPress user permissions or employ a role‑management plugin to block unauthorized access.
  • Review access logs for unusual activity and monitor users who gain elevated privileges outside of normal patterns.

Generated by OpenCVE AI on April 17, 2026 at 08:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Themeum
Themeum tutor Lms
Wordpress
Wordpress wordpress
Vendors & Products Themeum
Themeum tutor Lms
Wordpress
Wordpress wordpress

Wed, 15 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.7.
Title WordPress Tutor LMS plugin <= 3.9.7 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Themeum Tutor Lms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:04.818Z

Reserved: 2026-04-15T09:19:38.194Z

Link: CVE-2026-40740

cve-icon Vulnrichment

Updated: 2026-04-16T14:49:43.738Z

cve-icon NVD

Status : Deferred

Published: 2026-04-15T11:16:36.177

Modified: 2026-04-22T20:23:16.350

Link: CVE-2026-40740

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T08:30:13Z

Weaknesses