CVE-2026-1371

Name of the Vulnerable Software and Affected Versions Tutor LMS versions prior to 3.9.6

Description The Tutor LMS plugin for WordPress has a flaw where sensitive coupon details can be accessed without proper authorization. The issue stems from insufficient validation within the ajax coupon details() function, which only checks for nonces but does not confirm user permissions. This allows users with Subscriber-level access or higher to obtain confidential information about coupons, including coupon codes, discount amounts, usage data, and course/bundle associations.

Recommendations Update Tutor LMS to version 3.9.6 or later.