Tutor LMS – eLearning and online course solution < 3.9.5 – Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion | CVE 2026-0548 | Plugin Vulnerabilities

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site.

Affects Plugins

Fixed in 3.9.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0e475e02-494a-4ad0-a83c-d027c3a32989

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

type5afe

Verified

No

WPVDB ID

36a93fc6-ef79-4d83-a199-4bfa19b35f08

Timeline

Publicly Published

2026-01-20 (about 3 months ago)

Added

2026-01-20 (about 3 months ago)

Last Updated

2026-01-20 (about 3 months ago)

Other

Published

Title

Published

2024-03-28

Title

WP Hotel Booking < 2.0.9.3 - Missing Authorization

Published

2024-08-16

Title

Asset CleanUp: Page Speed Booster < 1.3.9.4 - Missing Authorization

Published

2021-11-24

Title

Hide My WP < 6.2.4 - Unauthenticated Plugin Deactivation

Published

2025-08-26

Title

Info Cards < 2.0.0 - Missing Authorization

Published

2026-02-18

Title

Breeze – WordPress Cache Plugin < 2.2.22 - Missing Authorization to Cache Deletion