The vulnerability identified as CVE-2026-1371 affects the Tutor LMS plugin for WordPress, a widely used eLearning and online course management solution. The root cause is a missing authorization check in the ajax_coupon_details() AJAX handler function. Although the function validates WordPress nonces to prevent CSRF attacks, it does not verify whether the requesting user has the appropriate permissions to access sensitive coupon data. This oversight allows any authenticated user with at least Subscriber-level access to invoke this function and retrieve sensitive information such as coupon codes, discount amounts, usage statistics, and the courses or bundles to which coupons are applied. The exposure of such data can lead to unauthorized coupon redemption, financial losses, and potential abuse of promotional campaigns. The vulnerability affects all versions of Tutor LMS up to and including 3.9.5. The CVSS 3.1 base score is 5.3 (medium), reflecting the network attack vector, low complexity, no privileges required beyond authentication, and no user interaction needed. The impact is limited to confidentiality, with no direct effect on integrity or availability. No public exploits have been reported yet, but the vulnerability's nature makes it a candidate for exploitation in environments where attackers can register or compromise low-privilege accounts. The vulnerability highlights the importance of implementing proper capability checks in AJAX handlers, especially when sensitive business data is involved.

For European organizations using Tutor LMS, the exposure of coupon-related sensitive information can lead to unauthorized use of discounts, financial losses, and erosion of trust in eLearning platforms. Attackers with Subscriber-level access could harvest coupon codes and usage data to exploit promotional offers or resell discounted course access. This could also reveal business strategies related to pricing and marketing campaigns. While the vulnerability does not directly impact system integrity or availability, the confidentiality breach could have reputational consequences and complicate compliance with data protection regulations such as GDPR if personal data is indirectly exposed. Organizations relying on Tutor LMS for training employees or customers may face operational disruptions if coupon misuse leads to financial discrepancies or requires emergency remediation. The medium severity suggests that while the threat is not critical, it warrants timely attention to prevent escalation or combined attacks leveraging this information.

1. Monitor for and apply official patches or updates from Themeum as soon as they are released to address CVE-2026-1371. 2. In the interim, restrict Subscriber-level user capabilities to prevent access to coupon-related AJAX endpoints, either by customizing role permissions or using security plugins that enforce capability checks. 3. Implement web application firewall (WAF) rules to detect and block suspicious AJAX requests targeting coupon details. 4. Audit and monitor coupon usage logs regularly to detect unusual patterns indicative of abuse or unauthorized access. 5. Limit user registrations or enforce stricter verification to reduce the risk of attackers obtaining Subscriber-level accounts. 6. Consider disabling or restricting coupon features if not essential to reduce the attack surface. 7. Educate administrators on the importance of reviewing plugin updates and security advisories promptly. 8. Conduct security testing on custom LMS integrations to ensure proper authorization checks are in place for sensitive functions.