CVE-2026-23799 Overview
CVE-2026-23799 is a Missing Authorization vulnerability [CWE-862] in the Themeum Tutor LMS plugin for WordPress. The flaw affects all versions up to and including 3.9.5. Tutor LMS is a learning management system plugin used by WordPress site owners to deliver online courses.
The vulnerability allows authenticated attackers with low privileges to exploit incorrectly configured access control security levels. Successful exploitation results in confidentiality impact across the affected installation. The issue is exposed over the network and requires no user interaction.
Critical Impact
Authenticated attackers with low-level privileges can access restricted resources in Tutor LMS installations through 3.9.5, leading to unauthorized disclosure of protected data.
Affected Products
- Themeum Tutor LMS plugin for WordPress
- All versions from n/a through 3.9.5
- WordPress sites running vulnerable Tutor LMS installations
Discovery Timeline
- 2026-03-05 - CVE-2026-23799 published to the National Vulnerability Database (NVD)
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-23799
Vulnerability Analysis
The vulnerability is classified as Missing Authorization [CWE-862]. Tutor LMS exposes functionality without verifying that the requesting user holds the appropriate permissions. An attacker who holds any authenticated account on the WordPress site can issue requests to protected endpoints and receive data that should be restricted.
The attack vector is network-based and exploitation complexity is low. Only the confidentiality property is affected; integrity and availability remain intact. The EPSS data indicates a low probability of in-the-wild exploitation activity at publication time.
Root Cause
The plugin fails to enforce capability checks on one or more access-controlled actions. WordPress plugins commonly rely on current_user_can() or nonce verification to authorize sensitive operations. When these checks are omitted or incorrectly scoped, lower-privileged roles such as Subscriber or Student gain access to data and operations intended for instructors or administrators.
Attack Vector
An attacker authenticates to the target WordPress site with any low-privileged account. The attacker then sends crafted HTTP requests to the vulnerable Tutor LMS endpoint. Because the endpoint does not validate the caller's role or capability, the server returns protected information. Self-registration features on many WordPress sites make obtaining a low-privileged account trivial.
The vulnerability mechanism is described in the Patchstack WordPress Vulnerability Advisory. No public proof-of-concept code is available at this time.
Detection Methods for CVE-2026-23799
Indicators of Compromise
- Unexpected HTTP requests from low-privileged user sessions to Tutor LMS admin-ajax.php actions or REST API routes under /wp-json/tutor/
- Access logs showing repeated calls to Tutor LMS endpoints from accounts with the Subscriber or Student role
- Unusual data exfiltration patterns from WordPress sites running Tutor LMS 3.9.5 or earlier
Detection Strategies
- Audit WordPress access logs for authenticated requests to Tutor LMS endpoints originating from non-instructor accounts
- Deploy a web application firewall (WAF) rule that inspects requests to Tutor LMS AJAX and REST endpoints and validates the caller's role
- Review WordPress user registration logs for newly created accounts that immediately query Tutor LMS endpoints
Monitoring Recommendations
- Enable verbose logging on the WordPress site and forward logs to a centralized SIEM for correlation
- Track HTTP 200 responses to Tutor LMS endpoints from accounts that should not have access to course or student data
- Alert on bulk enumeration patterns against Tutor LMS REST API routes
How to Mitigate CVE-2026-23799
Immediate Actions Required
- Update the Tutor LMS plugin to a version newer than 3.9.5 once the vendor releases a fixed build
- Disable the Tutor LMS plugin on production sites until a patched version is installed if active exploitation is observed
- Restrict WordPress user self-registration to reduce the pool of accounts that can authenticate to the vulnerable endpoints
Patch Information
Refer to the Patchstack WordPress Vulnerability Advisory for the current patch status. Administrators should monitor the Themeum vendor channel and the WordPress plugin repository for an updated release that addresses the missing authorization checks.
Workarounds
- Apply a WAF virtual patch that blocks low-privileged users from invoking sensitive Tutor LMS actions until an official fix is deployed
- Audit and reduce the capabilities granted to the Subscriber and Student roles using a role management plugin
- Temporarily disable Tutor LMS features that expose the vulnerable endpoints if business operations permit
# Configuration example: block low-privileged access to Tutor LMS REST routes via .htaccess
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_COOKIE} wordpress_logged_in [NC]
RewriteCond %{REQUEST_URI} ^/wp-json/tutor/ [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
