CVE-2026-1371 Overview
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This vulnerability exists due to missing authorization checks in the ajax_coupon_details() function, which only validates nonces but does not verify user capabilities. This security gap makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive coupon information including coupon codes, discount amounts, usage statistics, and course/bundle applications.
Critical Impact
Authenticated attackers with minimal privileges (Subscriber-level) can extract sensitive coupon data, potentially leading to financial loss, unauthorized discounts, and business intelligence leakage for eLearning platforms.
Affected Products
- Tutor LMS WordPress Plugin versions up to and including 3.9.5
- WordPress installations running vulnerable Tutor LMS versions
- eLearning platforms utilizing Tutor LMS coupon functionality
Discovery Timeline
- February 3, 2026 - CVE-2026-1371 published to NVD
- February 3, 2026 - Last updated in NVD database
Technical Details for CVE-2026-1371
Vulnerability Analysis
This vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The core issue lies in the ajax_coupon_details() function within the CouponController.php file of the Tutor LMS plugin. While the function implements nonce verification to prevent Cross-Site Request Forgery (CSRF) attacks, it critically fails to implement proper capability checks to verify whether the requesting user has authorization to access coupon details.
In WordPress security architecture, nonce validation alone is insufficient for protecting sensitive operations. Nonces verify that a request originated from a legitimate WordPress session but do not validate whether the authenticated user should have permission to perform the requested action. The missing current_user_can() or equivalent capability check allows any authenticated user—even those with the lowest privilege level (Subscriber)—to query and retrieve coupon information that should be restricted to administrators or shop managers.
Root Cause
The root cause of this vulnerability is an Insecure Direct Object Reference combined with Missing Authorization. The ajax_coupon_details() function at line 106 and related code at line 658 in CouponController.php accepts AJAX requests and returns coupon data without verifying that the requesting user has the appropriate role or capability to access this information. The developer implemented nonce verification as a security measure but overlooked the critical step of capability validation, creating a broken access control vulnerability.
Attack Vector
The attack is network-based and requires low attack complexity. An attacker must first obtain valid Subscriber-level credentials on a vulnerable WordPress site running Tutor LMS. Once authenticated, the attacker can craft AJAX requests to the ajax_coupon_details() endpoint, including a valid nonce (which they can obtain as an authenticated user). The server processes these requests and returns sensitive coupon information including:
- Coupon codes and their discount values
- Usage statistics revealing business metrics
- Course and bundle associations
- Expiration dates and validity conditions
This information disclosure can enable attackers to use coupons they shouldn't have access to, understand business pricing strategies, or leverage the data for further social engineering attacks.
Detection Methods for CVE-2026-1371
Indicators of Compromise
- Unusual volume of AJAX requests to coupon-related endpoints from low-privilege user accounts
- Subscriber-level accounts making repeated requests to /wp-admin/admin-ajax.php with coupon-related actions
- Access logs showing authenticated users querying coupon details they should not have visibility into
- Unexpected coupon usage patterns that don't correlate with legitimate marketing campaigns
Detection Strategies
- Monitor WordPress AJAX request logs for ajax_coupon_details action calls from non-admin users
- Implement web application firewall (WAF) rules to flag suspicious coupon endpoint access patterns
- Review WordPress user activity logs for Subscriber accounts making administrative-type requests
- Deploy SentinelOne Singularity to detect anomalous application behavior and unauthorized data access attempts
Monitoring Recommendations
- Enable detailed logging for WordPress AJAX requests in your web server configuration
- Set up alerts for multiple coupon detail requests from the same user session within short timeframes
- Monitor for newly created Subscriber accounts that immediately access coupon endpoints
- Integrate WordPress security logs with your SIEM for correlation with other attack indicators
How to Mitigate CVE-2026-1371
Immediate Actions Required
- Update Tutor LMS plugin to a version newer than 3.9.5 that contains the security patch
- Audit existing Subscriber and low-privilege accounts for suspicious activity
- Review coupon usage logs for any unauthorized access or redemption
- Consider temporarily disabling coupon functionality if immediate patching is not possible
Patch Information
A security patch addressing this vulnerability is available. The fix can be reviewed in the WordPress Tutor Plugin Changeset which implements proper capability checks alongside the existing nonce verification. The vulnerable code can be examined in the CouponController.php source. For additional vulnerability details, refer to the Wordfence Vulnerability Report.
Workarounds
- Implement additional authorization controls at the web server or WAF level to restrict access to AJAX coupon endpoints
- Use a WordPress security plugin to add capability checks for sensitive AJAX actions
- Temporarily remove coupon functionality by deactivating the ecommerce component if business operations allow
- Restrict user registration to prevent attackers from easily obtaining Subscriber-level accounts
# Restrict access to coupon AJAX endpoints via .htaccess (temporary workaround)
# Add to WordPress root .htaccess file
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php$
RewriteCond %{QUERY_STRING} action=.*coupon.* [NC]
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in.*admin [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
