PT-2026-40580 · WordPress · Tutor Lms
Molten Bit
·
Published
2026-05-13
·
Updated
2026-05-13
·
CVE-2026-6965
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Tutor LMS versions prior to 4.0.0
Description
The Tutor LMS – eLearning and online course solution plugin for WordPress contains an Insecure Direct Object Reference. This occurs because the
get course id by() function unconditionally trusts the user-supplied course GET parameter as the authoritative course ID for content ownership lookups. This value is then used by can user manage(), the primary authorization gate for instructor-level operations, leading the system to evaluate instructor membership against an attacker-controlled course instead of the course that owns the target content. Consequently, authenticated attackers with instructor-level access or higher can perform unauthorized actions on other instructors' course content. These actions include permanently deleting lessons, assignments, quizzes (including all student attempt data), topics, announcements, and Q&A threads, as well as creating or modifying lessons, topics, and announcements, manipulating student quiz grades, and accessing unpublished lesson and quiz content.Recommendations
Update to a version newer than 3.9.9.
As a temporary workaround, restrict access to the
course GET parameter to minimize the risk of exploitation.Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Tutor Lms