CVE-2026-1375
IDOR in Tutor LMS Plugin Allows Unauthorized Course Modification
Publication date: 2026-02-03
Last updated on: 2026-02-03
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | tutor_lms | to 3.9.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not contain information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability is an Insecure Direct Object References (IDOR) issue in the Tutor LMS WordPress plugin up to version 3.9.5. It occurs because the plugin's functions that handle bulk course actions (`course_list_bulk_action()`), bulk deletion (`bulk_delete_course()`), and course status updates (`update_course_status()`) lack proper object-level authorization checks. As a result, authenticated users with Tutor Instructor-level access or higher can manipulate course IDs in bulk action requests to modify or delete courses they do not own, bypassing intended permission restrictions. [1, 3]
How can this vulnerability impact me? :
This vulnerability allows an authenticated Tutor LMS instructor or higher-level user to modify or delete arbitrary courses they do not own by exploiting missing authorization checks. This can lead to unauthorized changes or removal of course content, potentially disrupting course availability, causing data loss, and impacting the integrity of the eLearning platform. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and inspecting AJAX requests related to course bulk actions, status updates, and deletions in the Tutor LMS plugin. Specifically, look for requests to the AJAX actions `tutor_course_list_bulk_action`, `tutor_change_course_status`, and `tutor_course_delete`. Commands to detect suspicious activity could include capturing HTTP requests to these endpoints and checking for unauthorized manipulation of course IDs by users with Instructor-level access. For example, using command-line tools like curl or network monitoring tools to capture and analyze POST requests to admin-ajax.php with the action parameters mentioned. However, no specific commands are provided in the resources. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Tutor LMS plugin to a version later than 3.9.5 where this vulnerability is fixed. Until then, restrict Instructor-level user permissions to prevent unauthorized bulk actions on courses by disabling capabilities such as deleting or publishing courses if possible. Additionally, monitor and audit course bulk action requests for suspicious activity. Implement strict access controls and consider disabling bulk course actions for non-administrator users if feasible. [1, 3]