PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12275 Tutor LMS CVE debrief

The Tutor LMS WordPress plugin before 3.9.13 has a vulnerability in its Droip and Kirki page-builder integration. This vulnerability allows authenticated users with subscriber-level access to enroll in paid or private courses without authorization, read private course content, and mark arbitrary courses as completed on sites where the Droip or Kirki integration is active.

Vendor
Tutor LMS
Product
Tutor LMS WordPress plugin
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Users of the Tutor LMS WordPress plugin, particularly those with subscriber-level access, should be aware of this vulnerability. Site administrators should update the plugin to version 3.9.13 or later to mitigate the issue.

Technical summary

The Tutor LMS WordPress plugin before 3.9.13 does not perform the necessary checks for enrollment, purchase, and private-course capabilities in its Droip and Kirki page-builder integration. This omission allows authenticated users with subscriber-level access to perform actions they should not be able to, including enrolling in paid or private courses without authorization, reading private course content, and marking arbitrary courses as completed. This vulnerability is particularly concerning for sites that have active Droip or Kirki integrations.

Defensive priority

High

Recommended defensive actions

  • Update the Tutor LMS WordPress plugin to version 3.9.13 or later.
  • Review and restrict user roles and capabilities, especially for subscribers.
  • Monitor course enrollments, content access, and completion status for anomalies.
  • Consider implementing additional security measures, such as two-factor authentication.
  • Perform a thorough review of existing course content and enrollments to identify potential unauthorized access.
  • Implement monitoring to detect and respond to potential exploitation attempts.
  • Verify that all site administrators are aware of the vulnerability and the necessary mitigation steps.

Evidence notes

The CVE record was published on 2026-07-13T07:16:27.923Z and has not been modified since then. The NVD entry is currently in the 'Received' status. Limited information is available about the specific details of the vulnerability and its impact.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T07:16:27.923Z and has not been modified since then. The NVD entry is currently in the 'Received' status.