CVE-2026-1371 in Tutor LMS Plugin
Summary
by MITRE • 02/03/2026
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces but does not verify user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive coupon information including coupon codes, discount amounts, usage statistics, and course/bundle applications.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/04/2026
The vulnerability identified as CVE-2026-1371 affects the Tutor LMS plugin for WordPress, a widely used eLearning platform that enables educators to create and manage online courses. This particular flaw resides within the plugin's handling of coupon data through the `ajax_coupon_details()` function, which serves as an endpoint for retrieving coupon information via asynchronous requests. The vulnerability represents a critical security oversight that undermines the integrity of the plugin's access control mechanisms and exposes sensitive commercial data to unauthorized users within the system's permission hierarchy.
The technical flaw stems from inadequate authorization validation within the plugin's codebase where the `ajax_coupon_details()` function performs nonce verification but completely omits user capability checks. This design flaw allows any authenticated user with Subscriber-level privileges or higher to exploit the endpoint and extract comprehensive coupon information. The missing authorization checks create a direct pathway for privilege escalation attacks, as the function fails to verify whether the requesting user possesses the necessary permissions to access coupon details. This vulnerability aligns with CWE-284, which describes improper access control mechanisms, and specifically demonstrates how insufficient authorization validation can lead to information disclosure.
The operational impact of this vulnerability extends beyond simple data exposure, as it provides attackers with detailed insights into the platform's promotional strategies and revenue models. An attacker with Subscriber-level access can obtain coupon codes that may have been distributed to specific user groups, discount amounts that could inform pricing strategies, usage statistics that reveal customer behavior patterns, and information about course or bundle applications that could be used for competitive analysis. This exposure creates significant risks for educational institutions and course creators who rely on the plugin to manage their online learning environments and commercial offerings.
Security professionals should consider this vulnerability in relation to ATT&CK technique T1213.002, which involves data from information repositories, as it enables unauthorized access to sensitive business data through legitimate plugin interfaces. The attack vector requires minimal privileges and can be executed through standard web browser interactions, making it particularly dangerous for environments where user accounts are not properly secured or monitored. Organizations should immediately implement mitigations including plugin updates to versions that address the authorization flaw, implementation of network-level access controls to restrict API endpoint access, and enhanced monitoring of AJAX request patterns to detect potential exploitation attempts.
The vulnerability highlights the importance of comprehensive security testing for WordPress plugins, particularly those handling commercial data and user information. Regular security audits should verify that all AJAX endpoints implement proper user capability checks alongside nonce validation to prevent similar issues. Organizations should also consider implementing role-based access controls that restrict coupon management functions to administrators and specific staff members, rather than allowing general authenticated users to access sensitive promotional data. Additionally, the incident underscores the need for maintaining up-to-date security practices and staying informed about plugin vulnerabilities through security advisories and automated scanning tools to prevent exploitation of known security flaws.