PT-2026-40580 · WordPress · Tutor Lms

Molten Bit

·

Published

2026-05-13

·

Updated

2026-05-13

·

CVE-2026-6965

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions Tutor LMS versions prior to 4.0.0
Description The Tutor LMS – eLearning and online course solution plugin for WordPress contains an Insecure Direct Object Reference. This occurs because the get course id by() function unconditionally trusts the user-supplied course GET parameter as the authoritative course ID for content ownership lookups. This value is then used by can user manage(), the primary authorization gate for instructor-level operations, leading the system to evaluate instructor membership against an attacker-controlled course instead of the course that owns the target content. Consequently, authenticated attackers with instructor-level access or higher can perform unauthorized actions on other instructors' course content. These actions include permanently deleting lessons, assignments, quizzes (including all student attempt data), topics, announcements, and Q&A threads, as well as creating or modifying lessons, topics, and announcements, manipulating student quiz grades, and accessing unpublished lesson and quiz content.
Recommendations Update to a version newer than 3.9.9. As a temporary workaround, restrict access to the course GET parameter to minimize the risk of exploitation.

Fix

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-6965

Affected Products

Tutor Lms