CVE-2026-1375
Unknown Unknown - Not Provided
IDOR in Tutor LMS Plugin Allows Unauthorized Course Modification

Publication date: 2026-02-03

Last updated on: 2026-02-03

Assigner: Wordfence

Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1375
EUVD
EUVD-2026-5274
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unknown_vendor tutor_lms to 3.9.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability is an Insecure Direct Object References (IDOR) issue in the Tutor LMS WordPress plugin up to version 3.9.5. It occurs because the plugin's functions that handle bulk course actions (`course_list_bulk_action()`), bulk deletion (`bulk_delete_course()`), and course status updates (`update_course_status()`) lack proper object-level authorization checks. As a result, authenticated users with Tutor Instructor-level access or higher can manipulate course IDs in bulk action requests to modify or delete courses they do not own, bypassing intended permission restrictions. [1, 3]

Impact Analysis

This vulnerability allows an authenticated Tutor LMS instructor or higher-level user to modify or delete arbitrary courses they do not own by exploiting missing authorization checks. This can lead to unauthorized changes or removal of course content, potentially disrupting course availability, causing data loss, and impacting the integrity of the eLearning platform. [1, 3]

Detection Guidance

This vulnerability can be detected by monitoring and inspecting AJAX requests related to course bulk actions, status updates, and deletions in the Tutor LMS plugin. Specifically, look for requests to the AJAX actions `tutor_course_list_bulk_action`, `tutor_change_course_status`, and `tutor_course_delete`. Commands to detect suspicious activity could include capturing HTTP requests to these endpoints and checking for unauthorized manipulation of course IDs by users with Instructor-level access. For example, using command-line tools like curl or network monitoring tools to capture and analyze POST requests to admin-ajax.php with the action parameters mentioned. However, no specific commands are provided in the resources. [1, 3]

Mitigation Strategies

Immediate mitigation steps include updating the Tutor LMS plugin to a version later than 3.9.5 where this vulnerability is fixed. Until then, restrict Instructor-level user permissions to prevent unauthorized bulk actions on courses by disabling capabilities such as deleting or publishing courses if possible. Additionally, monitor and audit course bulk action requests for suspicious activity. Implement strict access controls and consider disabling bulk course actions for non-administrator users if feasible. [1, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1375. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart