CVE-2026-0548
Unknown Unknown - Not Provided
Unauthorized Attachment Deletion in Tutor LMS via Missing Capability Check

Publication date: 2026-01-20

Last updated on: 2026-01-20

Assigner: Wordfence

Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-01-20
Generated
2026-06-16
AI Q&A
2026-01-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0548
EUVD
EUVD-2026-3412
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
themeum tutor_lms to 3.9.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Tutor LMS WordPress plugin allows authenticated users with subscriber-level access or higher to delete arbitrary attachments on the site due to a missing capability check in the delete_existing_user_photo function. Essentially, the plugin did not properly verify that the user had permission to delete certain attachments, enabling unauthorized deletion of files. The issue was fixed by adding authorization checks to ensure that only attachments owned by the user can be deleted or assigned as profile photos. [1]

Impact Analysis

An attacker with subscriber-level access could exploit this vulnerability to delete arbitrary attachments on the WordPress site, potentially removing important files or media. This could lead to data loss, disruption of site content, and unauthorized manipulation of site resources, impacting site integrity and availability. [1]

Detection Guidance

You can detect this vulnerability by checking if your WordPress site is running Tutor LMS plugin version 3.9.4 or earlier. Additionally, monitoring for unauthorized deletion of attachments or unusual deletion activity by users with subscriber-level access or above may indicate exploitation attempts. Since the vulnerability involves unauthorized deletion via the `delete_existing_user_photo` function, you can audit your WordPress logs for calls to wp_delete_attachment by low-privilege users. Specific commands might include searching your web server or WordPress logs for deletion events or suspicious API calls related to attachment deletion. However, no explicit commands are provided in the resources. [1]

Mitigation Strategies

The immediate mitigation step is to update the Tutor LMS plugin to version 3.9.5 or later, where the vulnerability is fixed by adding proper authorization checks to ensure only owners can delete or assign profile photos. Until the update is applied, restrict subscriber-level users from accessing photo deletion functionality or monitor and audit attachment deletions closely. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0548. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart