Medium severity5.4NVD Advisory· Published Jan 20, 2026· Updated Apr 15, 2026

CVE-2026-0548

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the delete_existing_user_photo function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site.

Affected products

Tutor LMS/Tutor LMS Prollm-fuzzy
Range: <=3.9.4

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/changesetnvd
www.wordfence.com/threat-intel/vulnerabilities/id/0e475e02-494a-4ad0-a83c-d027c3a32989nvd

News mentions

No linked articles in our index yet.

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000