Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests.
Published: 2026-02-03
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authenticated course modification and deletion by privileged users
Action: Apply Patch
AI Analysis

Impact

The Tutor LMS eLearning plugin for WordPress contains an Insecure Direct Object Reference flaw caused by missing authorization checks in the bulk action handlers. Authenticated users with Instructor or higher level access can manipulate the course ID fields in bulk action requests to modify or delete any course, regardless of ownership. This can lead to unauthorized alteration of course content, deletion of courses, and loss of educational material and revenue for the site owner.

Affected Systems

All installations of Tutor LMS up to and including version 3.9.5 are vulnerable. Any WordPress site that has installed one of these revisions and has users with the Instructor role or better is at risk, regardless of the number of courses or users.

Risk and Exploitability

The vulnerability has a CVSS score of 8.1, indicating high severity, but the EPSS score is less than 1%, suggesting that exploitation is currently unlikely to be widespread. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated session, so the attack vector is inferred to be an authenticated API or administrative interface that the plugin exposes for bulk course management.

Generated by OpenCVE AI on April 15, 2026 at 21:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Tutor LMS to the latest release that contains the IDOR fix.
  • If an immediate update is not possible, disable or remove the bulk action endpoints by customizing the plugin or adding a filter that blocks access to the 'course_list_bulk_action', 'bulk_delete_course', and 'update_course_status' functions.
  • Reconfigure the Instructor+ role permissions so that users can only manage courses they own, by applying role‑based access controls or a custom capability check.

Generated by OpenCVE AI on April 15, 2026 at 21:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Themeum
Themeum tutor Lms
Wordpress
Wordpress wordpress
Vendors & Products Themeum
Themeum tutor Lms
Wordpress
Wordpress wordpress

Tue, 03 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Description The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests.
Title Tutor LMS <= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Themeum Tutor Lms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:51:47.055Z

Reserved: 2026-01-23T18:04:32.011Z

Link: CVE-2026-1375

cve-icon Vulnrichment

Updated: 2026-02-03T15:46:01.747Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T08:16:14.733

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1375

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:30:13Z

Weaknesses