What the vulnerability does
01Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. This makes it possible for authenticated attackers, with subscriber level access and above, to mark any course as completed.
Explanation of Vulnerability in Simple Terms
02Summary
Tutor LMS versions up to 3.9.2 lack proper authorization checks, allowing authenticated users to modify content they should not have access to. An attacker with a low-privilege account can change course or lesson data without proper permission validation. The vulnerability requires login but does not require user interaction beyond normal site usage. Update to a version newer than 3.9.2 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Modify course or lesson content without proper authorization.
Potential impact on your site
04Site Impact
Students or low-privilege users could alter course materials, assignments, or grades.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege account on the site.
Key dates
06Disclosure timeline
January 9, 2026
CVE published
April 8, 2026
Record updated