The Tutor LMS WordPress plugin before 3.9.13 does not, in its Droip and Kirki page-builder integration, perform the enrollment, purchase, and private-course capability checks it enforces in its core course handler, allowing authenticated users with subscriber-level access to enroll in paid or private courses without authorization, read private course content, and mark arbitrary courses as completed, on sites where the Droip or Kirki integration is active.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
The Tutor LMS WordPress plugin before version 3.9.13 contains an authorization bypass vulnerability in its Droip and Kirki page-builder integrations. When these integrations are active, the plugin fails to enforce enrollment, purchase, and private-course capability checks that are present in its core course handler. This allows authenticated users with subscriber-level permissions to bypass payment requirements, access private course content without authorization, and fraudulently mark courses as completed. Organizations running WordPress sites with Tutor LMS and either Droip or Kirki page-builder integration are directly affected, particularly educational institutions, training platforms, and e-learning businesses that rely on course monetization and access controls.
While this CVE currently has no mapped MITRE ATT&CK techniques or matching Casky skills, practitioners investigating this vulnerability pattern would look for indicators aligned with T1548 (Abuse Elevation Control Mechanism) and T1078 (Valid Accounts). Casky's extended reasoning capabilities would help practitioners analyze suspicious course enrollment patterns—particularly subscriber accounts completing premium courses without payment records, accessing restricted course materials, or generating completion certificates. Security teams should monitor WordPress audit logs for unauthorized course updates, enrollment modifications, and content access from low-privilege accounts. Detection should focus on discrepancies between purchase records and course completion events, especially when page-builder integrations process requests that bypass the core authorization layer. Immediate remediation requires updating to version 3.9.13 or later and reviewing course access logs for unauthorized activities on affected sites.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-12275. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation