EUVD-2025-208856
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3Description
Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through 3.9.4.
Analysis
An authorization bypass vulnerability exists in Themeum Tutor LMS through version 3.9.4 that allows authenticated users to access resources they should not have permission to view through user-controlled keys in the access control mechanism. This Insecure Direct Object Reference (IDOR) vulnerability affects all Tutor LMS installations up to and including version 3.9.4, enabling an attacker with low privileges to read sensitive data by manipulating object identifiers. The vulnerability has a CVSS score of 6.5 reflecting moderate severity with high confidentiality impact, and while no KEV or widespread POC exploitation has been publicly confirmed, the attack requires only network access and valid authentication credentials.
Technical Context
This vulnerability is rooted in CWE-639 (Authorization Bypass Through User-Controlled Key), a weakness where applications use user-supplied input directly as an authorization decision point without proper server-side validation. In the context of Themeum Tutor LMS (identified via CPE cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:*:*:*), the vulnerability manifests as an Insecure Direct Object Reference (IDOR) flaw affecting access control security levels. The LMS fails to properly validate whether the authenticated user has legitimate authorization to access course materials, student records, or other protected resources when object identifiers (such as course IDs, student IDs, or lesson IDs) are manipulated in API requests or URL parameters. Rather than enforcing server-side authorization checks based on user roles and enrolled courses, the application relies on client-controlled keys or parameters, allowing privilege escalation within the authentication context.
Affected Products
Themeum Tutor LMS is affected in all versions from the earliest available through version 3.9.4, as confirmed by the CPE string cpe:2.3:a:themeum:tutor_lms:*:*:*:*:*:*:*:*. The vulnerability has been reported by Patchstack and documented in their vulnerability database at https://patchstack.com/database/wordpress/plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-9-4-insecure-direct-object-references-idor-vulnerability-2. Tutor LMS is a popular WordPress plugin for creating and managing online courses, making this vulnerability applicable to any WordPress installation using Tutor LMS up to version 3.9.4.
Remediation
Immediately upgrade Themeum Tutor LMS to a version released after 3.9.4, which should contain authorization bypass fixes. Visit the official Tutor LMS plugin page in the WordPress plugin directory or the vendor's security advisory at https://patchstack.com/database/wordpress/plugin/tutor/ for the specific patched version. Until patching is completed, implement server-side access control verification in the WordPress environment by using role-based capability checks for all course and student data access, ensure that no object identifiers are directly exposed to users without validation, and restrict plugin functionality to trusted administrators via WordPress user role management. Additionally, review WordPress user account access logs and disable accounts with unnecessary privilege levels to minimize the attack surface for credential-based exploitation.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today