Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Network-accessible IDOR requiring only low-privilege auth; write-only impact with no confidentiality or availability effect aligns with object-modification scope.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.13.
AnalysisAI
Insecure Direct Object Reference (IDOR) in Tutor LMS WordPress plugin allows authenticated low-privilege users to bypass authorization controls by manipulating user-controlled keys, resulting in unauthorized modification of LMS objects such as courses, lessons, or student records. Affected versions span all releases through 3.9.13 by Themeum. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid low-privilege WordPress account on the target site (PR:L per CVSS vector) - this could be a registered student, subscriber, or any role that can authenticate to the WordPress instance. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.5 (Medium) reflects a network-accessible, low-complexity attack requiring only low-privilege authentication (PR:L) with no user interaction, resulting in high integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free student account on a WordPress site running Tutor LMS 3.9.13 or earlier. By intercepting and replaying authenticated requests with manipulated object IDs - such as substituting another student's enrollment ID or a course content ID - the attacker modifies records they do not own, potentially altering quiz results, enrollment statuses, or course content. … |
| Remediation | The primary fix is to update Tutor LMS to a version beyond 3.9.13 once a patched release is published by Themeum; consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-9-13-insecure-direct-object-references-idor-vulnerability for the confirmed patched version, which was not independently confirmed in the available data (see confidence notes). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data
Several AJAX endpoints in the Tutor LMS - eLearning and online course solution WordPress plugin before 1.7.7 were unprot
The Tutor LMS plugin for WordPress is vulnerable to SQL Injection via the ‘rating_filter’ parameter in all versions up t
The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowi
Broken authorization in the Tutor LMS WordPress plugin (before 3.9.13) lets authenticated subscriber-level users bypass
Broken object-level authorization in the Tutor LMS WordPress plugin before 3.9.13 allows any authenticated instructor-le
The tutor_answering_quiz_question/get_answer_by_id function pair from the Tutor LMS - eLearning and online course soluti
The tutor_place_rating AJAX action from the Tutor LMS - eLearning and online course solution WordPress plugin before 1.7
The tutor_quiz_builder_get_question_form AJAX action from the Tutor LMS - eLearning and online course solution WordPress
The tutor_quiz_builder_get_answers_by_question AJAX action from the Tutor LMS - eLearning and online course solution Wor
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43352