Molten Bit

**Name of the Vulnerable Software and Affected Versions** Tutor LMS versions prior to 4.0.0 **Description** The Tutor LMS – eLearning and online course solution plugin for WordPress contains an Insecure Direct Object Reference. This occurs because the `get course id by()` function unconditionally trusts the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups. This value is then used by `can user manage()`, the primary authorization gate for instructor-level operations, leading the system to evaluate instructor membership against an attacker-controlled course instead of the course that owns the target content. Consequently, authenticated attackers with instructor-level access or higher can perform unauthorized actions on other instructors' course content. These actions include permanently deleting lessons, assignments, quizzes (including all student attempt data), topics, announcements, and Q&A threads, as well as creating or modifying lessons, topics, and announcements, manipulating student quiz grades, and accessing unpublished lesson and quiz content. **Recommendations** Update to a version newer than 3.9.9. As a temporary workaround, restrict access to the `course` GET parameter to minimize the risk of exploitation.