PT-2026-3574 · WordPress · Tutor Lms
Published
2026-01-20
·
Updated
2026-01-21
·
CVE-2026-0548
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Tutor LMS versions prior to 3.9.5
Description
The Tutor LMS plugin for WordPress allows authenticated attackers with subscriber-level access or higher to delete arbitrary attachments on a site. This is due to a missing capability check within the
delete existing user photo function.Recommendations
Update Tutor LMS to version 3.9.5 or later.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tutor Lms