PT-2026-6042 · WordPress · Tutor Lms
Supakiad S
·
Publicado
2026-02-03
·
Atualizado
2026-02-03
·
CVE-2026-1371
CVSS v3.1
5.3
Média
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Tutor LMS versions prior to 3.9.6
Description
The Tutor LMS plugin for WordPress has a flaw where sensitive coupon details can be accessed without proper authorization. The issue stems from insufficient validation within the
ajax coupon details() function, which only checks for nonces but does not confirm user permissions. This allows users with Subscriber-level access or higher to obtain confidential information about coupons, including coupon codes, discount amounts, usage data, and course/bundle associations.Recommendations
Update Tutor LMS to version 3.9.6 or later.
Correção
Information Disclosure
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Tutor Lms