cleantalk
Vulnerabilities and Security Researches

Tutor LMS – eLearning and online course solution, CVE-2026-0548

CVE, Research URL

CVE-2026-0548

Home page URL

Security reports for Tutor LMS – eLearning and online course solution

Application

Tutor LMS – eLearning and online course solution

Published on
Jan 20, 2026
Research Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site.
Affected versions
max 3.9.5.
Status
vulnerable
Previous vulnerability researches
WP Guppy Lite – A live chat plugin for WordPress (CVE-2025-24643) , Feb 05, 2025
WP Guppy Lite – A live chat plugin for WordPress (CVE-2025-30775) , Apr 02, 2025
WP Guppy Lite – A live chat plugin for WordPress (CVE-2025-6792) , Apr 16, 2026
WP Guppy Lite – A live chat plugin for WordPress (CVE-2025-49910) , Nov 11, 2025
WP Guppy Lite – A live chat plugin for WordPress (CVE-2024-49222) , Jan 08, 2025
New vulnerability
WP YouTube Lyte (CVE-2026-3299) , Apr 16, 2026
WordPress Plugin for Google Maps – WP MAPS (CVE-2025-13364) , Apr 16, 2026
WordPress Plugin for Google Maps – WP MAPS (CVE-2026-39492) , Apr 16, 2026
Tutor LMS – eLearning and online course solution (CVE-2026-0548) , Apr 16, 2026
Tutor LMS – eLearning and online course solution (CVE-2026-40740) , Apr 16, 2026