๐Ÿ” CVE Alert

CVE-2026-12275

HIGH 7.1

Tutor LMS < 3.9.13 - Subscriber+ Unauthorized Course Enrollment and Private Course Content Disclosure via Droip/Kirki Integration

CVSS Score
7.1
EPSS Score
0.1%
EPSS Percentile
3th

The Tutor LMS WordPress plugin before 3.9.13 does not, in its Droip and Kirki page-builder integration, perform the enrollment, purchase, and private-course capability checks it enforces in its core course handler, allowing authenticated users with subscriber-level access to enroll in paid or private courses without authorization, read private course content, and mark arbitrary courses as completed, on sites where the Droip or Kirki integration is active.

Vendor unknown
Product tutor lms
Published Jul 13, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for unknown tutor lms

Be the first to know when new high vulnerabilities affecting unknown tutor lms are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Unknown / Tutor LMS
0 < 3.9.13

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wpscan.com: https://wpscan.com/vulnerability/fcd43a87-8721-4455-b014-ac81d53fc671/

Credits

Dilovar Berdiev WPScan