CVE-2026-1371
Tutor LMS <= 3.9.5 - Authenticated (Subscriber+) Information Disclosure in Coupon Details via 'tutor_coupon_details' AJAX ActionThe Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces but does not verify user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive coupon information including coupon codes, discount amounts, usage statistics, and course/bundle applications.
We have discovered 8,566 live websites that are affected by CVE-2026-1371.
Affected Software
| Product | |
| Category | Learning Management System |
| Vulnerable Domains | 8,566 live websites (100% of Tutor LMS install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 119 versions ( 100% of all versions) |
Common Weakness Enumeration
CWE-200 Exposure of Sensitive Information to an Unauthorized ActorDetails
- Published - Feb 3, 2026
- Updated - Feb 3, 2026
Credits
- Supakiad S. (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-1371 United States | 2,486 websites |
 Germany | 671 websites |
 Cyprus | 472 websites |
 India | 415 websites |
 France | 392 websites |
 GB | 373 websites |
 Poland | 365 websites |
 Brazil | 313 websites |
 Italy | 239 websites |
 Spain | 206 websites |
Website Distribution by TLD
Number of websites using CVE-2026-1371| .com | 4,079 websites |
| .org | 573 websites |
| .pl | 280 websites |
| .com.br | 261 websites |
| .de | 185 websites |
| .net | 177 websites |
| .it | 159 websites |
| .co.uk | 155 websites |
| .fr | 132 websites |
| .nl | 114 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-1371
Top websites that are affected by CVE-2026-1371. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *******.org | United States | **,*** | |
| **********.com | United States | **,*** | |
| ***************.org | United States | **,*** | |
| *************.org | United States | **,*** | |
| **********.com | GB | **,*** | |
| ********************.com | United States | ***,*** | |
| *****.com | France | ***,*** | |
| ************.org | United States | ***,*** | |
| *****.co | Cyprus | ***,*** | |
| *****************.org | United States | ***,*** |
FAQ
CVE-2026-1371 is Exposure of Sensitive Information to an Unauthorized Actor in Tutor LMS
A total of 8,566 websites have been identified as vulnerable to CVE-2026-1371, based on global website indexing conducted by WebTechSurvey.
The Tutor LMS is affected by the CVE-2026-1371 vulnerability.
Tutor LMS versions up to and including 3.9.5 are vulnerable to CVE-2026-1371.
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/7f5c5f64-a864-4ce1-9080-19f7c4418307?source=cve
- https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/ecommerce/CouponController.php#L106
- https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/ecommerce/CouponController.php#L658
- https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/ecommerce/CouponController.php?contextall=1&old=3422766&old_path=%2Ftutor%2Ftrunk%2Fecommerce%2FCouponController.php