CVE-2026-40743

Vulnerability

Tutor LMS versions 3.9.7 and earlier contain an unauthenticated broken access control vulnerability [1]. The issue resides in missing authorization or nonce checks within plugin functions, allowing unprivileged users to perform actions meant for higher-privileged roles [1]. No authentication is required to exploit the flaw.

Exploitation

An attacker with network access to a WordPress site running a vulnerable Tutor LMS plugin can trigger the missing access control checks without authentication [1]. The exact attack vector is not disclosed in the reference, but the vulnerability is classified as broken access control, implying direct manipulation of function calls or parameters that lack authorization verification [1].

Impact

Successful exploitation allows an unauthenticated attacker to execute higher-privileged actions they should not be permitted to perform [1]. The impact is limited to unauthorized functionality access (confidentiality and integrity impact), with a CVSS v3 score of 6.5 (Medium) [1]. The reference notes low likelihood of exploitation [1].

Mitigation

The vulnerability is fixed in Tutor LMS version 3.9.8 [1]. Users should update immediately. Those unable to update can contact their hosting provider or web developer for assistance [1]. Patchstack users can enable auto-updates for vulnerable plugins [1].