CVE-2026-0548 - Vulnerability Details

- Tutor LMS – eLearning and online course solution <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site.

Published: 2026-01-20

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Tutor LMS plugin for WordPress has a missing capability check on the delete_existing_user_photo function. As a result, any authenticated user with subscriber-level access and above can invoke the function to delete arbitrary attachments stored on the site. This flaw is a classic example of a missing authorization flaw, classified as CWE‑862, and can lead to loss of course materials, user uploads, and other critical media files, thereby affecting data integrity and availability.

Affected Systems

This vulnerability affects the Tutor LMS – eLearning and online course solution plugin for WordPress, versions 3.9.4 and earlier. Users running these plugin versions are exposed to the risk of unauthorized attachment deletion.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity, while the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The flaw requires only that the attacker be a legitimate authenticated user with subscriber-level or higher role, with no external dependencies. The vulnerability is not listed in CISA’s KEV catalog. Consequently, the risk is moderate but the likelihood of exploitation is low; however, because any authenticated user could delete any attachment, the potential impact on site content integrity remains significant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

themeum

Tutor LMS – eLearning and online course solution

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.9.4

No data.

Vendor	Product	Confidence	Versions
Themeum	Tutor Lms	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Tutor LMS plugin to version 3.9.5 or newer, which contains the missing capability check on attachment deletion.
If an immediate update is not feasible, restrict media library write permissions for subscriber-level roles, either by adjusting WordPress capabilities or by using a security plugin to block file deletion actions for non-owners.
Enable detailed logging of media library changes so that any unauthorized deletions can be detected and investigated promptly.

Generated by OpenCVE AI on April 15, 2026 at 21:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00053.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/changeset?old_path=/tutor/tags/3.9.4/classes/User.php&new_path=/tutor/tags/3.9.5/classes/User.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/0e475e02-494a-4ad0-a83c-d027c3a32989?source=cve

History

Wed, 21 Jan 2026 11:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Themeum Themeum tutor Lms Wordpress Wordpress wordpress
Vendors & Products		Themeum Themeum tutor Lms Wordpress Wordpress wordpress

Tue, 20 Jan 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site.
Title		Tutor LMS – eLearning and online course solution <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/changeset?old_path=/tutor/tags/3.9.4/classes/User.php&new_path=/tutor/tags/3.9.5/classes/User.php https://www.wordfence.com/threat-intel/vulnerabilities/id/0e475e02-494a-4ad0-a83c-d027c3a32989?source=cve
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}`

Subscriptions

Themeum Tutor Lms

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-01-20T14:26:31.808Z

Updated: 2026-04-08T16:35:25.884Z

Reserved: 2026-01-01T16:58:14.820Z

Link: CVE-2026-0548

Vulnrichment

Updated: 2026-01-20T14:53:27.059Z

NVD

Status : Deferred

Published: 2026-01-20T15:20:06.687

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0548

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T21:45:14Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object