The vulnerability is an Authorization Bypass through a User‑Controlled Key in the WordPress Tutor LMS plugin from Themeum. It allows a malicious user to supply arbitrary identifiers that bypass improperly configured access controls and access or modify resources that should be restricted, such as private course content and user data. This weakness falls under CWE‑639, indicating a failure to confirm user authority before granting access. The impact includes potential disclosure of confidential educational materials and alteration or deletion of course contents, compromising the confidentiality and integrity of the site.

WordPress sites that run the Themeum Tutor LMS plugin version 3.9.4 or earlier are affected. The flaw exists in all releases of the plugin from its earliest versions through 3.9.4, so any deployment with an older version requires assessment.

The CVSS score of 3.8 classifies the issue as moderate in severity, and the EPSS score of less than 1% indicates a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is web‑based, as the issue involves specific HTTP requests to the plugin’s endpoints; this is inferred from the description, as the exact vector is not explicitly stated. An attacker can craft requests that include a user‑controlled key to gain unauthorized access to protected resources, but the requirement for knowledge of identifiers reduces the overall risk level.