Tutor LMS < 3.9.5 – Authenticated (Instructor+) Insecure Direct Object Reference | CVE 2025-47555 | Plugin Vulnerabilities

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.4 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Custom-level access and above, to perform an unauthorized action.

Affects Plugins

Fixed in 3.9.5

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5849a9f6-715e-4ac8-a0f7-1cd0814fff58

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Supakiad S. (m3ez)

Verified

No

WPVDB ID

ff4a4e6f-69aa-4a62-9a92-58af39dc6fe7

Timeline

Publicly Published

2026-01-02 (about 4 months ago)

Added

2026-02-03 (about 3 months ago)

Last Updated

2026-02-03 (about 3 months ago)

Other

Published

Title

Published

2024-12-24

Title

Avada Builder < 3.11.13 - Authenticated (Contributor+) Protected Post Disclosure

Published

2024-12-05

Title

PowerPack Elementor Addons (Free Widgets, Extensions and Templates) < 2.8.2 - Authenticated (Contributor+) Post Disclosure

Published

2023-07-10

Title

WooCommerce GoCardless Gateway < 2.5.7 - Unauthenticated Sensitive Information Disclosure

Published

2026-02-09

Title

WCFM Membership – WooCommerce Memberships for Multivendor Marketplace < 2.11.9 - Insecure Direct Object Reference to Update Membership Payment

Published

2025-02-14

Title

RTMKit < 1.6.8 - Authenticated (Contributor+) Insecure Direct Object Reference