cleantalk
Vulnerabilities and Security Researches

Tutor LMS – eLearning and online course solution, CVE-2026-0548

CVE, Research URL

CVE-2026-0548

Home page URL

Security reports for Tutor LMS – eLearning and online course solution

Application

Tutor LMS – eLearning and online course solution

Published on
Jan 20, 2026
Research Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site.
Affected versions
max 3.9.5.
Status
vulnerable
Previous vulnerability researches
Advanced Custom Fields: Table Field (CVE-2025-12067) , Jan 27, 2026
Advanced Custom Fields: Table Field (a4db1680-e0ac-425e-90bf-306bb65b921f) , Jun 07, 2024
New vulnerability
WP YouTube Lyte (CVE-2026-3299) , Apr 16, 2026
WordPress Plugin for Google Maps – WP MAPS (CVE-2025-13364) , Apr 16, 2026
WordPress Plugin for Google Maps – WP MAPS (CVE-2026-39492) , Apr 16, 2026
Tutor LMS – eLearning and online course solution (CVE-2026-0548) , Apr 16, 2026
Tutor LMS – eLearning and online course solution (CVE-2026-40740) , Apr 16, 2026