Tutor LMS – eLearning and online course solution < 3.9.5 – Authenticated (Subscriber+) Insecure Direct Object Reference | CVE 2025-32223 | Plugin Vulnerabilities

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.4 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform unauthorized actions.

Affects Plugins

Fixed in 3.9.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/b6f7c4c8-210f-4bbb-8352-5c2e550e44c3

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

daroo

Verified

No

WPVDB ID

21996805-2e13-4e09-915d-d8d0ca4c54aa

Timeline

Publicly Published

2026-03-16 (about 1 month ago)

Added

2026-03-27 (about 1 month ago)

Last Updated

2026-03-27 (about 1 month ago)

Other

Published

Title

Published

2021-06-03

Title

Jetpack < 9.8 - Carousel Module Non-Published Page/Post Attachment Comment Leak

Published

2026-04-23

Title

Maxi Blocks < 2.1.9 - Missing Authorization to Authenticated (Author+) Media File Deletion via 'old_media_src' Parameter

Published

2025-05-01

Title

Homey - Booking and Rentals WordPress Theme < 2.4.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion

Published

2025-07-21

Title

WP JobHunt <= 7.2 - Subscriber+ Arbitrary Account Deletion via IDOR

Published

2022-08-04

Title

Sensei LMS < 4.5.2 - Arbitrary Private Message Sending via IDOR