CVE-2026-40740 Overview
CVE-2026-40740 is a missing authorization vulnerability in the Themeum Tutor LMS plugin for WordPress. The flaw affects all versions up to and including 3.9.7. An authenticated attacker with low privileges can exploit incorrectly configured access control checks to perform actions that should require higher authorization. The vulnerability is tracked under CWE-862: Missing Authorization.
Critical Impact
Authenticated users can bypass intended access control boundaries within Tutor LMS, resulting in unauthorized read or modification of restricted plugin functionality on affected WordPress sites.
Affected Products
- Themeum Tutor LMS (tutor plugin) for WordPress
- Versions from initial release through 3.9.7
- WordPress sites with the Tutor LMS plugin installed and active
Discovery Timeline
- 2026-04-15 - CVE-2026-40740 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-40740
Vulnerability Analysis
The vulnerability stems from broken access control in the Tutor LMS plugin. The plugin exposes functionality that fails to verify whether the requesting user possesses the required capability before executing privileged operations. An attacker authenticated as a low-privilege user, such as a subscriber or student role, can invoke these endpoints directly.
The Patchstack advisory classifies this as a broken access control issue affecting all versions up to and including 3.9.7. The attack is performed over the network and requires no user interaction. Successful exploitation produces limited impact on integrity and availability without exposing confidential data.
The EPSS probability of 0.04% indicates a low likelihood of exploitation in the near term, consistent with the prerequisite of authenticated access.
Root Cause
The root cause is the absence or misconfiguration of authorization checks on one or more plugin actions. WordPress plugins commonly rely on current_user_can() capability checks and nonce validation to gate sensitive operations. When these checks are missing, incomplete, or compare against the wrong capability, the action becomes accessible to any authenticated user regardless of role.
Attack Vector
An attacker must hold a valid WordPress account on the target site. The attacker then issues crafted HTTP requests to the vulnerable Tutor LMS endpoints, typically through admin-ajax.php or REST API routes registered by the plugin. Because the server does not enforce role-based restrictions, the requests succeed and execute privileged plugin logic.
For full technical details, refer to the Patchstack Security Advisory.
Detection Methods for CVE-2026-40740
Indicators of Compromise
- Unexpected modifications to Tutor LMS course, lesson, quiz, or enrollment data made by non-instructor accounts
- Requests to plugin AJAX or REST endpoints originating from low-privilege user sessions
- New or altered Tutor LMS records lacking a corresponding administrator or instructor audit trail
Detection Strategies
- Audit WordPress access logs for POST requests to wp-admin/admin-ajax.php with Tutor LMS action parameters from subscriber-level sessions
- Compare Tutor LMS database tables against backups to identify unauthorized changes to records, enrollments, or settings
- Review user activity logs for capability-protected operations performed by accounts that should not possess those capabilities
Monitoring Recommendations
- Enable WordPress audit logging to capture every plugin action with the originating user ID and IP address
- Forward web server and PHP logs to a centralized SIEM for correlation against user role data
- Alert on bursts of requests to Tutor LMS endpoints from a single authenticated user within a short window
How to Mitigate CVE-2026-40740
Immediate Actions Required
- Update the Tutor LMS plugin to a version higher than 3.9.7 as soon as the vendor publishes a fix
- Review all WordPress user accounts and remove or downgrade any unnecessary low-privilege accounts
- Restrict new user registration on sites that do not require public sign-up
- Audit Tutor LMS data and configuration for unauthorized changes made prior to remediation
Patch Information
At the time of publication, the Patchstack advisory lists the vulnerability as affecting Tutor LMS through <= 3.9.7. Site administrators should monitor the Patchstack Security Advisory and the official Themeum Tutor LMS release notes for a patched version and apply it immediately upon release.
Workarounds
- Temporarily deactivate the Tutor LMS plugin on sites that do not require active course delivery until a patched version is installed
- Deploy a web application firewall rule to block requests to Tutor LMS AJAX and REST endpoints from non-instructor accounts
- Enforce strong password and multi-factor authentication policies on all WordPress accounts to limit the pool of potential attackers
# Example WordPress CLI commands to inventory and disable the plugin
wp plugin get tutor --field=version
wp plugin deactivate tutor
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
