Impact
WordPress Tutor LMS versions 3.9.7 and earlier contain a broken access‑control flaw. The CVE description states that unauthenticated users can bypass access restrictions within the plugin. This weakness is classified as CWE‑862, indicating improper authorization checks that enable unauthorized users to view or manipulate protected content.
Affected Systems
The affected product is the WordPress Tutor LMS plugin from Themeum. All releases up to and including 3.9.7 are vulnerable. No other versions or products are listed as affected.
Risk and Exploitability
The CVSS score of 6.5 places the flaw in the medium severity range. The EPSS score of less than 1% suggests that exploitation is unlikely currently. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves unauthenticated HTTP requests to plugin endpoints that do not enforce proper authorization checks; an attacker could gain access to LMS features that should be restricted to authenticated users.
OpenCVE Enrichment