CVE-2026-1371
📋 TL;DR
This vulnerability in Tutor LMS WordPress plugin allows authenticated attackers with Subscriber-level access or higher to retrieve sensitive coupon information without proper authorization. It affects all versions up to 3.9.5 due to missing capability checks in the ajax_coupon_details() function. WordPress sites using vulnerable Tutor LMS versions are affected.
💻 Affected Systems
- Tutor LMS – eLearning and online course solution for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could harvest all coupon codes, discount amounts, usage statistics, and associated course/bundle data, enabling coupon fraud, revenue loss through unauthorized discounts, and business intelligence gathering.
Likely Case
Authenticated users exploiting the vulnerability to obtain coupon codes for personal gain or to share with others, potentially causing financial impact through unauthorized discounts.
If Mitigated
With proper access controls, only authorized administrators can view coupon details, preventing information exposure and maintaining coupon integrity.
🎯 Exploit Status
Exploitation requires authenticated access (Subscriber role or higher). The vulnerability is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.6 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Tutor LMS plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 3.9.6+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Temporary Access Restriction
allRestrict access to vulnerable function by modifying user roles or implementing additional authorization checks.
🧯 If You Can't Patch
- Restrict user registration and review existing user accounts, particularly those with Subscriber role.
- Implement web application firewall rules to block requests to the vulnerable ajax_coupon_details endpoint from unauthorized users.
🔍 How to Verify
Check if Vulnerable:
Check Tutor LMS plugin version in WordPress admin panel under Plugins → Installed Plugins. If version is 3.9.5 or earlier, you are vulnerable.Check Version:
wp plugin list --name=tutor --field=versionVerify Fix Applied:
After updating, verify Tutor LMS version is 3.9.6 or later. Test coupon detail access with Subscriber account to confirm proper authorization checks.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to coupon-related AJAX endpoints from non-admin users
- Multiple requests to /wp-admin/admin-ajax.php with action=tutor_get_coupon_details from Subscriber-level accounts
Network Indicators:
- HTTP POST requests to admin-ajax.php with action parameter set to tutor_get_coupon_details from unauthorized IPs/users
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND post_data="action=tutor_get_coupon_details") AND user_role!="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/ecommerce/CouponController.php#L106
- https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/ecommerce/CouponController.php#L658
- https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/ecommerce/CouponController.php?contextall=1&old=3422766&old_path=%2Ftutor%2Ftrunk%2Fecommerce%2FCouponController.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7f5c5f64-a864-4ce1-9080-19f7c4418307?source=cve
