Skip to main content

Tutor LMS WordPress Plugin EUVDEUVD-2026-29914

| CVE-2026-6965 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-13 Wordfence
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 13, 2026 - 06:31 vuln.today
CVE Published
May 13, 2026 - 05:29 nvd
MEDIUM 5.3

DescriptionCVE.org

The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the get_course_id_by() function unconditionally trusting the user-supplied course GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by can_user_manage(), the plugin's sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor's course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q&A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content.

AnalysisAI

Authenticated instructors in Tutor LMS versions up to 3.9.9 can manipulate course ownership logic via an attacker-controlled GET parameter to perform unauthorized operations on other instructors' courses, including deleting lessons, quizzes, assignments, and student data, or modifying course content and grades. The vulnerability stems from the get_course_id_by() function unconditionally trusting user-supplied input instead of validating course ownership, bypassing the plugin's primary authorization gate. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

Tutor LMS is a WordPress plugin that provides learning management system functionality, including course creation, lesson management, quiz administration, and student grade tracking. The vulnerability exists in the authorization architecture: the get_course_id_by() function in the Utils class accepts a user-supplied course GET parameter and returns it directly without validation, which is then passed to the can_user_manage() function - the sole authorization gate for instructor-level operations. The can_user_manage() function checks whether the current user is an instructor for the supplied course ID, but because that course ID is attacker-controlled, an authorized instructor can claim to manage any course in the system. This Insecure Direct Object Reference (CWE-639) pattern is repeated across multiple content handlers in classes such as Lesson, Quiz, Course, Ajax, and Announcements, each of which retrieves the course ID from the GET parameter and uses it in authorization decisions rather than deriving the course ownership from the target content object itself.

RemediationAI

Update the Tutor LMS plugin to a patched version once released by Themeum - no specific fix version is confirmed in the provided data, so monitor the official plugin repository and Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/55924ea3-373c-4297-a958-5670def1f6c0 for patch availability. As an immediate compensating control, restrict instructor-level WordPress user role assignments to trusted administrators only and implement WordPress user role management policies that limit the number of users with instructor capabilities. Additionally, if the plugin supports it, implement course-level access controls or audit logging to detect unauthorized course modifications. These measures do not eliminate the vulnerability but reduce the attacker pool from all instructors to only those with administrative trust. Database backups should be increased in frequency prior to patching to enable rapid recovery from course content deletion attacks. Note that disabling the plugin entirely is the only way to eliminate exploitation risk until a patch is available, though this will render course management functionality unavailable.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-29914 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy