Primary

Context

Tutor LMS Missing Authorization Vulnerability Allows Attachment Deletion

Vulnerability

Patched

A vulnerability exists in the Tutor LMS WordPress plugin, specifically in versions up to and including 3.9.4. The issue arises from a lack of proper capability checks in the 'delete_existing_user_photo' function, allowing authenticated users with subscriber-level access and above to delete arbitrary attachments from the site.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of attachments, potentially causing loss of important data or disrupting the site's content management.

Remediation

Users are advised to update the Tutor LMS plugin to version 3.9.5 or a newer patched version.

Added: Jan 20, 2026, 3:58 PM

Updated: Jan 20, 2026, 3:58 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

6.1

remediation

7.7

relevance

2.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

6.1

remediation

7.7

relevance

2.2

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tutor LMS Missing Authorization Vulnerability Allows Attachment Deletion

Vulnerability

Impact

Remediation

Affected Products

Tutor LMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating