Skip to main content

Tutor Lms EUVDEUVD-2025-208856

| CVE-2025-32223 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-03-19 Patchstack
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 19, 2026 - 08:30 euvd
EUVD-2025-208856
Analysis Generated
Mar 19, 2026 - 08:30 vuln.today
CVE Published
Mar 19, 2026 - 08:05 nvd
MEDIUM 6.5

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through 3.9.4.

AnalysisAI

An authorization bypass vulnerability exists in Themeum Tutor LMS through version 3.9.4 that allows authenticated users to access resources they should not have permission to view through user-controlled keys in the access control mechanism. This Insecure Direct Object Reference (IDOR) vulnerability affects all Tutor LMS installations up to and including version 3.9.4, enabling an attacker with low privileges to read sensitive data by manipulating object identifiers. The vulnerability has a CVSS score of 6.5 reflecting moderate severity with high confidentiality impact, and while no KEV or widespread POC exploitation has been publicly confirmed, the attack requires only network access and valid authentication credentials.

Technical ContextAI

This vulnerability is rooted in CWE-639 (Authorization Bypass Through User-Controlled Key), a weakness where applications use user-supplied input directly as an authorization decision point without proper server-side validation. In the context of Themeum Tutor LMS (identified via CPE cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:*:*:*), the vulnerability manifests as an Insecure Direct Object Reference (IDOR) flaw affecting access control security levels. The LMS fails to properly validate whether the authenticated user has legitimate authorization to access course materials, student records, or other protected resources when object identifiers (such as course IDs, student IDs, or lesson IDs) are manipulated in API requests or URL parameters. Rather than enforcing server-side authorization checks based on user roles and enrolled courses, the application relies on client-controlled keys or parameters, allowing privilege escalation within the authentication context.

RemediationAI

Immediately upgrade Themeum Tutor LMS to a version released after 3.9.4, which should contain authorization bypass fixes. Visit the official Tutor LMS plugin page in the WordPress plugin directory or the vendor's security advisory at https://patchstack.com/database/wordpress/plugin/tutor/ for the specific patched version. Until patching is completed, implement server-side access control verification in the WordPress environment by using role-based capability checks for all course and student data access, ensure that no object identifiers are directly exposed to users without validation, and restrict plugin functionality to trusted administrators via WordPress user role management. Additionally, review WordPress user account access logs and disable accounts with unnecessary privilege levels to minimize the attack surface for credential-based exploitation.

CVE-2024-1751 HIGH POC
8.8 Mar 13

The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via

CVE-2024-4351 HIGH
8.8 May 16

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data

CVE-2024-4352 HIGH
8.8 May 16

The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data

CVE-2021-24184 HIGH POC
8.8 Apr 05

Several AJAX endpoints in the Tutor LMS - eLearning and online course solution WordPress plugin before 1.7.7 were unprot

CVE-2024-10400 HIGH POC
7.5 Nov 21

The Tutor LMS plugin for WordPress is vulnerable to SQL Injection via the ‘rating_filter’ parameter in all versions up t

CVE-2023-3133 HIGH POC
7.5 Jul 04

The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowi

CVE-2026-12275 HIGH POC
7.1 Jul 13

Broken authorization in the Tutor LMS WordPress plugin (before 3.9.13) lets authenticated subscriber-level users bypass

CVE-2026-12274 MEDIUM POC
6.5 Jul 13

Broken object-level authorization in the Tutor LMS WordPress plugin before 3.9.13 allows any authenticated instructor-le

CVE-2021-24186 MEDIUM POC
6.5 Apr 05

The tutor_answering_quiz_question/get_answer_by_id function pair from the Tutor LMS - eLearning and online course soluti

CVE-2021-24185 MEDIUM POC
6.5 Apr 05

The tutor_place_rating AJAX action from the Tutor LMS - eLearning and online course solution WordPress plugin before 1.7

CVE-2021-24183 MEDIUM POC
6.5 Apr 05

The tutor_quiz_builder_get_question_form AJAX action from the Tutor LMS - eLearning and online course solution WordPress

CVE-2021-24182 MEDIUM POC
6.5 Apr 05

The tutor_quiz_builder_get_answers_by_question AJAX action from the Tutor LMS - eLearning and online course solution Wor

Share

EUVD-2025-208856 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy