CVE-2026-6965 - Vulnerability Details

- Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin's sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor's course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q&A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content.

Published: 2026-05-13

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Tutor LMS plugin for WordPress permits authenticated attackers with instructor-level privileges to delete any instructor’s course content, including lessons, quizzes, assignments, announcements, and Q&A threads. The vulnerability arises from the get_course_id_by() function unconditionally trusting a user‑supplied course GET parameter, which then bypasses the plugin’s authorization gate for management actions. As a result, an attacker can permanently remove student attempt data, manipulate grades, and read unpublished content. These activities compromise data integrity and confidentiality for all affected courses.

Affected Systems

WordPress installations running the Tutor LMS plugin version 3.9.9 or earlier. Any site that has the plugin installed and has users with instructor-level or higher privileges is at risk. No other vendors or product versions are currently noted as affected.

Risk and Exploitability

The CVSS score of 5.3 indicates a medium‑severity risk, and there is no EPSS data available. The vulnerability is not listed in the CISA KEV catalog. Attackers must first authenticate to the WordPress site with at least instructor credentials; the exploitation path then involves sending a crafted request containing a malicious course ID in the GET parameter. Once the request reaches the can_user_manage() gate, the owner check is performed against the attacker‑supplied ID, allowing arbitrary deletion or modification of another instructor’s content.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

themeum

Tutor LMS – eLearning and online course solution

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.9.9

No data.

Vendor Product Confidence Versions

Themeum

Tutor Lms – Elearning And Online Course Solution

100%

Version	Status	Scheme	Platform
`[0,3.9.9]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Tutor LMS to version 3.9.10 or later, which removes the insecure direct object reference check.
If an immediate update is not possible, restrict the get_course_id_by() function to validate the course ID against the authenticated user’s owned courses and reject requests that reference foreign courses.
Implement audit logging for content deletion and grade manipulation actions, and regularly review logs for anomalous activity by instructors.

Generated by OpenCVE AI on May 13, 2026 at 07:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00081.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L294
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L507
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L586
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Announcements.php#L105
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1997
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2045
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L186
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L243
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L341
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L219
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L297
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L339
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1007
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1041
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L888
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L7829
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L8020
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L294
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L507
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L586
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Announcements.php#L105
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L1997
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L2045
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L186
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L243
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L341
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L219
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L297
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L339
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1007
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1041
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L888
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L7829
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L8020
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L294
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L507
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L586
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Announcements.php#L105
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1997
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2045
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L186
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L243
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L341
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L219
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L297
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L339
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1007
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1041
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L888
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L7829
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L8020
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3518400%40tutor&new=3518400%40tutor&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/55924ea3-373c-4297-a958-5670def1f6c0?source=cve

History

Wed, 13 May 2026 11:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 13 May 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Themeum Themeum tutor Lms – Elearning And Online Course Solution Wordpress Wordpress wordpress
Vendors & Products		Themeum Themeum tutor Lms – Elearning And Online Course Solution Wordpress Wordpress wordpress

Wed, 13 May 2026 06:00:00 +0000

Type	Values Removed	Values Added
Description		The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin's sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor's course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q&A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content.
Title		Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter
Weaknesses		CWE-639
References		https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L294 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L507 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L586 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Announcements.php#L105 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1997 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2045 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L186 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L243 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L341 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L219 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L297 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L339 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1007 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1041 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L888 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L7829 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L8020 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L294 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L507 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L586 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Announcements.php#L105 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L1997 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L2045 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L186 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L243 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L341 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L219 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L297 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L339 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1007 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1041 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L888 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L7829 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L8020 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L294 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L507 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L586 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Announcements.php#L105 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1997 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2045 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L186 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L243 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L341 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L219 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L297 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L339 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1007 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1041 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L888 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L7829 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L8020 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3518400%40tutor&new=3518400%40tutor&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/55924ea3-373c-4297-a958-5670def1f6c0?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Themeum Tutor Lms – Elearning And Online Course Solution

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-13T05:29:37.082Z

Updated: 2026-05-13T10:20:41.926Z

Reserved: 2026-04-24T16:01:40.686Z

Link: CVE-2026-6965

Vulnrichment

Updated: 2026-05-13T10:18:23.776Z

NVD

Status : Deferred

Published: 2026-05-13T06:16:15.087

Modified: 2026-05-13T14:43:46.717

Link: CVE-2026-6965

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-13T08:30:15Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object