{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40740", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-15T09:19:38.194Z", "datePublished": "2026-04-15T10:21:34.311Z", "dateUpdated": "2026-04-15T10:21:34.311Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "tutor", "product": "Tutor LMS", "vendor": "Themeum", "versions": [{"changes": [{"at": "3.9.8", "status": "unaffected"}], "lessThanOrEqual": "3.9.7", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "3diklab | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-15T12:20:47.004Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Tutor LMS: from n/a through <= 3.9.7.</p>"}], "value": "Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.7."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-15T10:21:34.311Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-9-7-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Tutor LMS plugin <= 3.9.7 - Broken Access Control vulnerability"}}}

{}

{}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.9.7]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[3.9.8,*]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Tutor LMS", "source": "cna", "vendor": "Themeum"}, "product": "tutor_lms", "vendor": "themeum"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T11:23:34.589208+00:00", "value": {"mitigation_remediation": ["Upgrade the Tutor LMS plugin to version 3.9.8 or later.", "If an upgrade is not immediately possible, restrict the plugin\u2019s functionality to trusted roles by adjusting WordPress user permissions or employ a role\u2011management plugin to block unauthorized access.", "Review access logs for unusual activity and monitor users who gain elevated privileges outside of normal patterns."], "summary": {"action": "Apply Patch", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Themeum Tutor LMS plugin for WordPress, versions up to and including 3.9.7. Any installation running these versions is susceptible; newer releases are not impacted.", "description_and_impact": "Missing authorization in the Tutor LMS plugin for WordPress allows an attacker to bypass intended access restrictions and read or modify data that should be protected. This flaw arises from incorrectly configured access control security levels, enabling users with insufficient privileges to perform privileged actions. The weakness is classified as CWE\u2011862, a missing authorization issue.", "risk_and_exploitability": "The CVSS score is not publicly available, and EPSS data is lacking, so a precise risk level cannot be quantified. The plugin operates in a web environment, so the likely attack vector is remote, accessed via HTTP requests to the WordPress site. An attacker who can log in with a limited role or trick a user into visiting specific URLs may exploit the broken access control to obtain unauthorized data or perform administrative actions."}}}}, "created": "2026-04-15T13:38:17.788938+00:00", "updated": "2026-04-15T13:44:58.885512+00:00", "vendors": ["themeum", "themeum$PRODUCT$tutor_lms", "wordpress", "wordpress$PRODUCT$wordpress"]}