CVE-2026-6708
Missing Authorization in HEL Online Classroom WordPress Plugin
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| hel_online_classroom | ai_powered_online_classrooms | to 1.0.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The HEL Online Classroom: AI-powered Online Classrooms plugin for WordPress has a vulnerability called Missing Authorization in all versions up to and including 1.0.3.
This vulnerability exists because a REST API endpoint in the plugin uses a permission callback that always returns true, effectively bypassing all WordPress authentication and authorization checks.
As a result, unauthenticated attackers can delete any classroom record by providing its ID in a request, causing permanent data loss.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to delete classroom records without any authorization.
The impact is permanent data loss of classroom records, which could disrupt educational activities and result in loss of important information.