{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1375", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-23T18:04:32.011Z", "datePublished": "2026-02-03T07:31:23.100Z", "dateUpdated": "2026-04-08T16:51:47.055Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:47.055Z"}, "affected": [{"vendor": "themeum", "product": "Tutor LMS \u2013 eLearning and online course solution", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.9.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests."}], "title": "Tutor LMS <= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e95b32b-c050-41eb-8fce-461257420eb6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L289"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L437"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L463"}, {"url": "https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/classes/Course_List.php?contextall=1&old=3339576&old_path=%2Ftutor%2Ftrunk%2Fclasses%2FCourse_List.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Tharadol Suksamran"}], "timeline": [{"time": "2026-01-23T18:20:12.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-02T18:41:05.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T15:45:56.367297Z", "id": "CVE-2026-1375", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T15:46:05.937Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1375", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T15:45:56.367297Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T15:46:01.747Z"}}], "cna": {"title": "Tutor LMS <= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Tharadol Suksamran"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"}}], "affected": [{"vendor": "themeum", "product": "Tutor LMS \u2013 eLearning and online course solution", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.9.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-23T18:20:12.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-02T18:41:05.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e95b32b-c050-41eb-8fce-461257420eb6?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L289"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L437"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L463"}, {"url": "https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/classes/Course_List.php?contextall=1&old=3339576&old_path=%2Ftutor%2Ftrunk%2Fclasses%2FCourse_List.php"}], "descriptions": [{"lang": "en", "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:51:47.055Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1375", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:51:47.055Z", "dateReserved": "2026-01-23T18:04:32.011Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-03T07:31:23.100Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests."}, {"lang": "es", "value": "El plugin Tutor LMS \u2013 soluci\u00f3n de eLearning y cursos en l\u00ednea para WordPress es vulnerable a Referencias Directas Inseguras a Objetos (IDOR) en todas las versiones hasta la 3.9.5, inclusive. Esto se debe a la falta de comprobaciones de autorizaci\u00f3n a nivel de objeto en las funciones `course_list_bulk_action()`, `bulk_delete_course()` y `update_course_status()`. Esto hace posible que atacantes autenticados, con acceso de nivel de Instructor de Tutor o superior, modifiquen o eliminen cursos arbitrarios que no les pertenecen manipulando los ID de los cursos en solicitudes de acciones masivas."}], "id": "CVE-2026-1375", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-03T08:16:14.733", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L289"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L437"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L463"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/classes/Course_List.php?contextall=1&old=3339576&old_path=%2Ftutor%2Ftrunk%2Fclasses%2FCourse_List.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e95b32b-c050-41eb-8fce-461257420eb6?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T21:29:24.772513+00:00", "value": {"mitigation_remediation": ["Update Tutor LMS to the latest release that contains the IDOR fix.", "If an immediate update is not possible, disable or remove the bulk action endpoints by customizing the plugin or adding a filter that blocks access to the 'course_list_bulk_action', 'bulk_delete_course', and 'update_course_status' functions.", "Reconfigure the Instructor+ role permissions so that users can only manage courses they own, by applying role\u2011based access controls or a custom capability check."], "summary": {"action": "Apply Patch", "impact": "Authenticated course modification and deletion by privileged users"}, "threat_synthesis": {"affected_systems": "All installations of Tutor LMS up to and including version 3.9.5 are vulnerable. Any WordPress site that has installed one of these revisions and has users with the Instructor role or better is at risk, regardless of the number of courses or users.", "description_and_impact": "The Tutor LMS eLearning plugin for WordPress contains an Insecure Direct Object Reference flaw caused by missing authorization checks in the bulk action handlers. Authenticated users with Instructor or higher level access can manipulate the course ID fields in bulk action requests to modify or delete any course, regardless of ownership. This can lead to unauthorized alteration of course content, deletion of courses, and loss of educational material and revenue for the site owner.", "risk_and_exploitability": "The vulnerability has a CVSS score of 8.1, indicating high severity, but the EPSS score is less than 1%, suggesting that exploitation is currently unlikely to be widespread. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an authenticated session, so the attack vector is inferred to be an authenticated API or administrative interface that the plugin exposes for bulk course management."}}}}, "created": "2026-02-04T12:14:25.559158+00:00", "updated": "2026-04-15T21:30:13.899508+00:00", "vendors": ["themeum", "themeum$PRODUCT$tutor_lms", "wordpress", "wordpress$PRODUCT$wordpress"]}