CVE-2026-1371
Sensitive Information Exposure in Tutor LMS ajax_coupon_details Function
Publication date: 2026-02-03
Last updated on: 2026-02-03
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| themeum | tutor_lms | to 3.9.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Tutor LMS WordPress plugin allows authenticated users with Subscriber-level access or higher to retrieve sensitive coupon information without proper authorization. The issue arises because the ajax_coupon_details() function only verifies nonces but does not check user capabilities, enabling these users to access coupon codes, discount amounts, usage statistics, and course or bundle applications that should be restricted.
How can this vulnerability impact me? :
The vulnerability can lead to exposure of sensitive coupon data such as coupon codes, discount amounts, usage statistics, and the courses or bundles to which coupons apply. This could allow unauthorized users to misuse coupon codes, potentially leading to financial loss or abuse of discounts, and compromise the integrity of the e-learning platform's promotional mechanisms.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to access the `ajax_coupon_details()` AJAX endpoint of the Tutor LMS plugin while authenticated as a Subscriber-level user or higher. Since the vulnerability allows retrieval of sensitive coupon information without proper authorization checks, you can test by sending an authenticated AJAX request to this endpoint and observing if coupon details are returned. Specific commands would involve using tools like curl or Postman to send POST requests with valid WordPress authentication cookies and a valid nonce to the AJAX endpoint related to coupon details. However, exact command examples are not provided in the available resources. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Tutor LMS plugin to a version later than 3.9.5 where the authorization checks in the `ajax_coupon_details()` function are properly implemented. If an update is not immediately possible, restrict access to the AJAX endpoint by limiting user roles that can access coupon details, or apply custom code to enforce capability checks on the `ajax_coupon_details()` AJAX handler. Additionally, monitor and audit user activities related to coupon data access to detect any unauthorized retrieval attempts. [2, 3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated users with Subscriber-level access and above to retrieve sensitive coupon information such as coupon codes, discount amounts, usage statistics, and course/bundle applications due to missing authorization checks. Exposure of such sensitive information could lead to non-compliance with data protection regulations like GDPR or HIPAA, which require proper protection of sensitive data and restrict unauthorized access. Therefore, this vulnerability potentially compromises compliance with these standards by enabling unauthorized disclosure of sensitive information.