The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin's sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor's course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q&A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Exploitation none

Automatable yes

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
themeum Tutor LMS – eLearning and online course solution unaffected
Version Status Constraints
0 affected ≤ 3.9.9

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors Products
Themeum Subscribe
Tutor Lms – Elearning And Online Course Solution Subscribe
Wordpress Subscribe
Wordpress Subscribe

Project Subscriptions

Vendors Products
Themeum Subscribe
Tutor Lms – Elearning And Online Course Solution Subscribe
Wordpress Subscribe
Wordpress Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L294 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L507 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L586 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Announcements.php#L105 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1997 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2045 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L186 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L243 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L341 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L219 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L297 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L339 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1007 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1041 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L888 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L7829 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L8020 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L294 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L507 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L586 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Announcements.php#L105 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L1997 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L2045 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L186 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L243 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L341 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L219 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L297 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L339 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1007 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1041 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L888 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L7829 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L8020 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L294 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L507 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L586 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Announcements.php#L105 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1997 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2045 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L186 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L243 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L341 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L219 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L297 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L339 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1007 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1041 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L888 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L7829 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L8020 cve-icon cve-icon
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3518400%40tutor&new=3518400%40tutor&sfp_email=&sfph_mail= cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/55924ea3-373c-4297-a958-5670def1f6c0?source=cve cve-icon cve-icon
History

Wed, 13 May 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Themeum
Themeum tutor Lms – Elearning And Online Course Solution
Wordpress
Wordpress wordpress
Vendors & Products Themeum
Themeum tutor Lms – Elearning And Online Course Solution
Wordpress
Wordpress wordpress

Wed, 13 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin's sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor's course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q&A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content.
Title Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-13T10:20:41.926Z

Reserved: 2026-04-24T16:01:40.686Z

Link: CVE-2026-6965

cve-icon Vulnrichment

Updated: 2026-05-13T10:18:23.776Z

cve-icon NVD

Status : Deferred

Published: 2026-05-13T06:16:15.087

Modified: 2026-05-13T14:43:46.717

Link: CVE-2026-6965

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T08:30:15Z

Weaknesses