CVE-2026-1371 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the Tutor LMS plugin for WordPress, widely used for eLearning and online course management. The root cause is the lack of proper authorization checks in the ajax_coupon_details() AJAX handler function. While the function validates WordPress nonces to prevent CSRF, it fails to verify whether the requesting user has the appropriate capabilities to access coupon data. This oversight allows any authenticated user with at least Subscriber-level privileges to invoke this function and retrieve sensitive coupon-related information. The exposed data includes coupon codes, discount values, usage statistics, and details about which courses or bundles the coupons apply to. Since WordPress Subscriber roles are commonly assigned to registered users, this vulnerability can be exploited by a broad range of authenticated users, potentially including malicious insiders or compromised accounts. The vulnerability affects all versions up to 3.9.5 of Tutor LMS. The CVSS 3.1 base score is 5.3 (medium), reflecting that the attack vector is network-based, requires no privileges beyond Subscriber, no user interaction, and impacts confidentiality only. No integrity or availability impacts are reported. No known public exploits have been observed yet, but the exposure of coupon data could lead to unauthorized discounts or facilitate further attacks targeting eLearning platforms. The vulnerability was publicly disclosed on February 3, 2026, with no patch links currently available, indicating that users should monitor vendor updates closely.

The primary impact of CVE-2026-1371 is the unauthorized disclosure of sensitive coupon information within Tutor LMS installations. This can lead to financial losses through unauthorized coupon usage or abuse of discount codes. Exposure of usage statistics and course/bundle application data may also reveal business-sensitive information about promotional strategies or user engagement. Although the vulnerability does not directly affect system integrity or availability, the confidentiality breach could undermine trust in the eLearning platform and potentially facilitate further attacks, such as privilege escalation or social engineering. Organizations relying on Tutor LMS for online education, especially those with large user bases or significant revenue from course sales, may face reputational damage and financial impact if attackers exploit this flaw. Since the vulnerability requires only Subscriber-level authentication, it broadens the attacker pool to include any registered user, increasing the risk in environments with many users or weak account security. The absence of known exploits in the wild currently limits immediate risk, but the vulnerability should be treated seriously given the sensitive nature of the exposed data.

To mitigate CVE-2026-1371, organizations should implement the following specific measures: 1) Immediately restrict user roles and permissions to the minimum necessary, especially limiting Subscriber-level accounts from accessing sensitive coupon-related functions if possible. 2) Monitor and audit user activity for suspicious access patterns to coupon data or AJAX endpoints related to Tutor LMS. 3) Apply vendor patches promptly once released; in the absence of official patches, consider implementing custom authorization checks in the ajax_coupon_details() function to verify user capabilities before returning coupon information. 4) Employ Web Application Firewalls (WAFs) to detect and block anomalous AJAX requests targeting coupon data endpoints. 5) Educate administrators and developers about the importance of proper authorization checks beyond nonce validation in WordPress AJAX handlers. 6) Regularly update WordPress core and plugins to reduce exposure to known vulnerabilities. 7) Consider isolating or segmenting the LMS environment to limit lateral movement if an account is compromised. These targeted actions go beyond generic advice by focusing on the specific authorization weakness and the nature of the exposed data.