Tutor LMS v3.9.8: An Important Security Update You Shouldn’t Skip

Running an eLearning site means handling a lot of moving parts. There are thousands of students, courses, instructors, payments, and content that are all connected.

That also means security needs to be taken seriously at every level.

With Tutor LMS v3.9.8, the goal is simple: tighten the existing security, update the weak points, and make the overall plugin safer in areas that matter most.

While most Tutor LMS updates focus on new features, this update is about the “armor”—the invisible layers of code that keep your student data, eCommerce data, and course content safer from security vulnerabilities.

Let’s have a quick look at the changelog of Tutor LMS v3.9.8.

Changelog of Tutor LMS v3.9.8

• Update: Added proper authorization check while updating the lessons.
• Update: Strengthen SQL queries across multiple deletion and update operations.
• Update: Improved security in quiz attempts search by preventing SQL injection.
• Fix: Fixed private course enrollment via AJAX without proper validation.
• Fix: Resolved the billing profile overwrite issue in Tutor LMS native eCommerce.
• Fix: Replaced wp_remote_get with wp_safe_remote_get for safer course import with media files.

Detailed Security Improvements in v3.9.8

Now it’s time to get a deep dive into all the security improvements in Tutor LMS v3.9.8.

1. Updating Lessons inside a Topic

Sorting lessons is a common task for instructors. But earlier, the AJAX handler responsible for updating the lessons under a specific topic couldn’t be properly authorized.  That meant any logged-in user could call the endpoint directly to reorder, add, or remove lessons. 

But we’ve resolved this issue in Tutor LMS v3.9.8. Now:

• Every lesson modification request will be checked against user permissions.
• Only users with the right access can make changes to the topics and lessons. 

This keeps the course structure safe from unwanted edits.

2. Private Course Enrollment Protection

Private courses are meant to stay restricted. But the underlying AJAX enrollment call did not verify whether a course was marked private before processing the request. It allows anyone to enroll in courses that should have been completely off-limits.

This has now been fixed in this security update. We’ve added a robust authorization logic that now validates course access rules before allowing enrollment. So you can say that the private courses are just more private now!

3. Billing Profile Protection in Native eCommerce

Users’ billing information is extremely sensitive and should always be protected. But, a missing authorization check in the Tutor LMS Native eCommerce allowed the users to overwrite billing profiles in some cases without verifying that the profile being updated belongs to the requesting user.

However, we’ve now added user-specific capability and ownership checks to ensure users can only update their own billing information. It makes the native eCommerce more secure than ever.

4. Preventing SQL Injection

A significant portion of this release focuses on updating the raw, unparameterized SQL queries with properly prepared statements throughout the whole plugin.

This change has been applied across multiple areas, including:

• Quiz attempts search
• Course, quiz, and assignment deletion
• Quiz Builder and Content Bank data handling
• Q&A, reviews, comments, and ratings removal
• Enrollment status updates
• Email cron job cleanup
• Full data removal when Tutor LMS is uninstalled 

These are low-visibility operations that often go unexamined in security audits precisely because they are infrequently triggered in normal use. Hardening them now removes a category of security vulnerability.

5. Safer Course Import with Media Files

When importing courses that include external media files, Tutor LMS previously used the wp_remote_get() function to fetch remote resources. Now, we have switched to the more secure wp_safe_remote_get() function. This adds additional validation against redirects to internal/localhost addresses and other potential Server-Side Request Forgery (SSRF) risks. It also makes the course importing process significantly safer, especially on sites that allow instructors to import courses from external sources.

Recommendations for Maximum Security

• Keep Tutor LMS, WordPress core, and all plugins/themes updated to the latest version 
• Use strong, unique passwords and enable two-factor authentication (2FA)
• Regularly review user roles and permissions to prevent unauthorized access
• Monitor site logs for suspicious activity and unusual login attempts
• Limit the number of admin accounts and assign roles carefully
• Backup your site regularly and store backups securely offsite, etc.

Our Commitment to Security

This release is part of our ongoing effort to make Tutor LMS the most secure LMS plugin for WordPress. We regularly audit code, respond quickly to security vulnerabilities, and implement best practices like proper capability checks, prepared statements, and safe remote requests.

Final Thoughts

We deeply appreciate the trust you place in Tutor LMS every day. This security-focused release is part of our continuous effort to make Tutor LMS the safest LMS plugin on WordPress.

A big thank you to the security researchers and community members who help us identify and responsibly resolve issues. Together, we are making Tutor LMS stronger.

Update to Tutor LMS v3.9.8 now and protect your courses, students, and eCommerce data from potential security vulnerabilities.