Description
Unauthenticated Broken Access Control in Tutor LMS <= 3.9.7 versions.
Published: 2026-06-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Tutor LMS versions 3.9.7 and earlier contain a broken access‑control flaw. The CVE description states that unauthenticated users can bypass access restrictions within the plugin. This weakness is classified as CWE‑862, indicating improper authorization checks that enable unauthorized users to view or manipulate protected content.

Affected Systems

The affected product is the WordPress Tutor LMS plugin from Themeum. All releases up to and including 3.9.7 are vulnerable. No other versions or products are listed as affected.

Risk and Exploitability

The CVSS score of 6.5 places the flaw in the medium severity range. The EPSS score of less than 1% suggests that exploitation is unlikely currently. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves unauthenticated HTTP requests to plugin endpoints that do not enforce proper authorization checks; an attacker could gain access to LMS features that should be restricted to authenticated users.

Generated by OpenCVE AI on June 18, 2026 at 00:59 UTC.

Remediation

Vendor Solution

Update the WordPress Tutor LMS Plugin to the latest available version (at least 3.9.8).


OpenCVE Recommended Actions

  • Update the WordPress Tutor LMS Plugin to version 3.9.8 or newer, which resolves the access‑control issue.
  • Restrict unauthenticated access to LMS pages by configuring web‑application firewall rules or .htaccess settings to block direct requests to the plugin’s URLs.
  • If an immediate update is not feasible, temporarily disable or uninstall the vulnerable plugin until the patch can be applied.

Generated by OpenCVE AI on June 18, 2026 at 00:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Themeum
Themeum tutor Lms
Wordpress
Wordpress wordpress
Vendors & Products Themeum
Themeum tutor Lms
Wordpress
Wordpress wordpress

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Broken Access Control in Tutor LMS <= 3.9.7 versions.
Title WordPress Tutor LMS plugin <= 3.9.7 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}


Subscriptions

Themeum Tutor Lms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T12:32:51.257Z

Reserved: 2026-04-15T09:19:38.194Z

Link: CVE-2026-40743

cve-icon Vulnrichment

Updated: 2026-06-16T12:32:46.616Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:49.003

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-40743

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T01:00:05Z

Weaknesses