Primary

Context

Tutor LMS Missing Authorization Vulnerability Allows Unauthorized Course Completion

Vulnerability

Patched

A vulnerability exists in the Tutor LMS WordPress plugin, specifically in versions up to and including 3.9.2. The issue arises from a lack of proper enrollment verification in the 'mark_course_complete' function. This flaw enables authenticated users with subscriber-level access or higher to mark any course as completed, bypassing the intended enrollment requirements.

Impact

Exploitation of this vulnerability allows for arbitrary course completion, potentially leading to unauthorized access to course materials or certifications.

Remediation

Users are advised to update the Tutor LMS plugin to version 3.9.4 or a newer patched version.

Added: Jan 9, 2026, 8:22 AM

Updated: Jan 9, 2026, 8:22 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

6.1

remediation

7.7

relevance

2.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

6.1

remediation

7.7

relevance

2.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tutor LMS Missing Authorization Vulnerability Allows Unauthorized Course Completion

Vulnerability

Impact

Remediation

Affected Products

Themeum Tutor LMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating