CVE-2026-6965

MEDIUM 5.3

Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin's sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor's course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q&A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content.

CWE	CWE-639
Vendor	themeum
Product	tutor lms – elearning and online course solution
Published	May 13, 2026
Last Updated	May 13, 2026

Stay Ahead of the Next One

Get instant alerts for themeum tutor lms – elearning and online course solution

Be the first to know when new medium vulnerabilities affecting themeum tutor lms – elearning and online course solution are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

themeum / Tutor LMS – eLearning and online course solution

0 ≤ 3.9.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/55924ea3-373c-4297-a958-5670def1f6c0?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L7829 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L7829 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L8020 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L8020 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L341 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L341 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1041 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1041 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2045 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L2045 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L586 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L586 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Announcements.php#L105 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Announcements.php#L105 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L219 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L219 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L297 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L297 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L294 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L294 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L243 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L243 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1997 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L1997 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L507 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L507 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L888 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L888 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L339 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L339 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L186 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L186 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1007 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1007 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L7829 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L8020 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L341 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1041 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2045 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L586 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Announcements.php#L105 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L219 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L297 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L294 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L243 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1997 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L507 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L888 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L339 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L186 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1007 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3518400%40tutor&new=3518400%40tutor&sfp_email=&sfph_mail=

Credits

molten bit