cleantalk
Vulnerabilities and Security Researches

Tutor LMS – eLearning and online course solution, CVE-2026-0548

CVE, Research URL

CVE-2026-0548

Home page URL

Security reports for Tutor LMS – eLearning and online course solution

Application

Tutor LMS – eLearning and online course solution

Published on
Jan 20, 2026
Research Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site.
Affected versions
max 3.9.5.
Status
vulnerable
Previous vulnerability researches
Token of Trust: AI Identity Verification, Age Verification, and KYC (CVE-2026-2834) , Apr 16, 2026
New vulnerability
Better Find and Replace (CVE-2026-3369) , Apr 17, 2026
FastDup – Fastest WordPress Migration & Duplicator (CVE-2026-0604) , Apr 17, 2026
Short Link (CVE-2026-0813) , Apr 17, 2026
Nelio AB Testing (CVE-2026-40742) , Apr 17, 2026
Mini Ajax Cart for WooCommerce (CVE-2026-6370) , Apr 17, 2026