CVE-2026-1375
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
2Tags
Description
The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests.
Analysis
Authenticated instructors in Tutor LMS plugin for WordPress versions up to 3.9.5 can modify or delete courses owned by other users due to missing authorization checks in bulk action functions. An attacker with instructor-level access can manipulate course IDs in bulk requests to compromise arbitrary courses without proper permission validation. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit access logs for suspicious activity targeting user IDs and course objects; identify all systems running Tutor LMS and document versions. Within 7 days: Implement WAF rules to detect and block IDOR pattern requests; disable Tutor LMS if not critical, or restrict access via IP whitelisting and require multi-factor authentication. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today