WordPress Plugin Vulnerabilities

Tutor LMS < 3.9.6 - Instructor+ Arbitrary Course Modification and Deletion via IDOR

Description

The plugin is vulnerable to Insecure Direct Object References (IDOR) due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests.

Affects Plugins

Plugin icon
tutor
Fixed in 3.9.6

References

CVE
CVE-2026-1375
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/4e95b32b-c050-41eb-8fce-461257420eb6

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Athiwat Tiprasaharn (Jitlada), Tharadol Suksamran (d3kc4rt_1)
Verified
No
WPVDB ID
d414eef8-4d0e-45a7-bb80-4b48e9e29a58

Timeline

Publicly Published
2026-02-02 (about 3 months ago)
Added
2026-02-03 (about 3 months ago)
Last Updated
2026-02-03 (about 3 months ago)

Other

Published
Title
Published
2026-03-12
Title
GetGenie < 4.3.3 - Insecure Direct Object Reference to Authenticated (Author+) Stored Cross-Site Scripting via REST API
Published
2026-01-02
Title
Verdure <= 1.6 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2026-04-07
Title
Awesome Support < 6.3.8 - Authenticated (Subscriber+) Insecure Direct Object Reference to Unauthorized Ticket Reply Access via 'ticket_id' Parameter
Published
2024-04-30
Title
Masteriyo - LMS < 1.7.4 - Insecure Direct Object Reference
Published
2026-02-23
Title
Really Simple Security Pro < 9.5.4.1 - Authenticated (Subscriber+) Insecure Direct Object Reference