CVE-2026-1375

Published: Feb 3, 2026Modified: Feb 3, 2026

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Exploitability: 2.8 / Impact: 5.2

Source: security@wordfence.com

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests.

Related CWEs

CWE-639

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (5)

https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L289

Source: security@wordfence.com

https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L437

Source: security@wordfence.com

https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L463

Source: security@wordfence.com

https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/classes/Course_List.php?contextall=1&old=3339576&old_path=%2Ftutor%2Ftrunk%2Fclasses%2FCourse_List.php

Source: security@wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/4e95b32b-c050-41eb-8fce-461257420eb6?source=cve

Source: security@wordfence.com

Timeline

No history available yet.