Description
The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.3 due to missing validation on a user controlled key when viewing and editing assignments through the tutor_assignment_submit() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and edit assignment submissions of other students.
Published: 2025-10-25
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized assignment access and potential data modification
Action: Upgrade
AI Analysis

Impact

The Tutor LMS Pro plugin for WordPress suffers from an insecure direct object reference that allows authenticated users with a Subscriber role or higher to view and edit the assignment submissions of other students. This flaw stems from missing validation on a user‑controlled key within the tutor_assignment_submit() function, thereby exposing confidential student work and enabling tampering with another user’s data. The vulnerability could be used to exfiltrate or alter sensitive coursework, compromising confidentiality and integrity of academic content.

Affected Systems

WordPress sites using the themeum Tutor LMS Pro plugin with versions up to and including 3.8.3 are affected. Any site running these legacy versions that allows Subscriber users to submit assignments is vulnerable; the issue is tied directly to the assignment submission handling within the plugin.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium impact, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The flaw is not listed in CISA’s KEV catalog. An attacker must first authenticate as a Subscriber or higher to exploit the vulnerability, typically through a browser session to the assignment submission endpoint. Because the weak credential validation occurs on the server side, the attack requires only normal web access and does not rely on privileged network exploitation.

Generated by OpenCVE AI on April 22, 2026 at 00:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tutor LMS Pro to a version newer than 3.8.3 where the IDOR issue has been addressed.
  • If an upgrade is not feasible, limit the Subscriber role’s capabilities to prevent access to assignment edit endpoints—use a role‑management or permission‑control plugin to revoke those capabilities.
  • As a temporary measure, deploy a web‑application firewall rule or rewrite the endpoint URL to restrict the tutor_assignment_submit() route to only users with a Teacher or higher role.

Generated by OpenCVE AI on April 22, 2026 at 00:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Themeum
Themeum tutor Lms
Wordpress
Wordpress wordpress
Vendors & Products Themeum
Themeum tutor Lms
Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Oct 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.3 due to missing validation on a user controlled key when viewing and editing assignments through the tutor_assignment_submit() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and edit assignment submissions of other students.
Title Tutor LMS Pro – eLearning and online course solution <= 3.8.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to View/Edit Other Assignments
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Themeum Tutor Lms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:06:14.403Z

Reserved: 2025-06-25T14:18:39.748Z

Link: CVE-2025-6639

cve-icon Vulnrichment

Updated: 2025-10-27T15:58:06.778Z

cve-icon NVD

Status : Deferred

Published: 2025-10-25T06:15:36.330

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6639

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:45:04Z

Weaknesses