CVE-2026-0548
Unauthorized Attachment Deletion in Tutor LMS via Missing Capability Check
Publication date: 2026-01-20
Last updated on: 2026-01-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| themeum | tutor_lms | to 3.9.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Tutor LMS WordPress plugin allows authenticated users with subscriber-level access or higher to delete arbitrary attachments on the site due to a missing capability check in the delete_existing_user_photo function. Essentially, the plugin did not properly verify that the user had permission to delete certain attachments, enabling unauthorized deletion of files. The issue was fixed by adding authorization checks to ensure that only attachments owned by the user can be deleted or assigned as profile photos. [1]
How can this vulnerability impact me? :
An attacker with subscriber-level access could exploit this vulnerability to delete arbitrary attachments on the WordPress site, potentially removing important files or media. This could lead to data loss, disruption of site content, and unauthorized manipulation of site resources, impacting site integrity and availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if your WordPress site is running Tutor LMS plugin version 3.9.4 or earlier. Additionally, monitoring for unauthorized deletion of attachments or unusual deletion activity by users with subscriber-level access or above may indicate exploitation attempts. Since the vulnerability involves unauthorized deletion via the `delete_existing_user_photo` function, you can audit your WordPress logs for calls to wp_delete_attachment by low-privilege users. Specific commands might include searching your web server or WordPress logs for deletion events or suspicious API calls related to attachment deletion. However, no explicit commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Tutor LMS plugin to version 3.9.5 or later, where the vulnerability is fixed by adding proper authorization checks to ensure only owners can delete or assign profile photos. Until the update is applied, restrict subscriber-level users from accessing photo deletion functionality or monitor and audit attachment deletions closely. [1]