CVE-2026-1375

Name of the Vulnerable Software and Affected Versions Tutor LMS versions prior to 3.9.5

Description The Tutor LMS plugin for WordPress is susceptible to Insecure Direct Object References (IDOR) due to insufficient object-level authorization checks. Specifically, the course list bulk action(), bulk delete course(), and update course status() functions lack proper validation. This allows authenticated attackers with Tutor Instructor-level access or higher to modify or delete courses they do not own by manipulating course IDs in bulk action requests. The vulnerable parameter is the course ID used in bulk action requests.

Recommendations Update Tutor LMS to a version later than 3.9.5. As a temporary workaround, restrict access to the course list bulk action(), bulk delete course(), and update course status() functions for users with Tutor Instructor-level access or higher.