CVE-2026-6708 MEDIUM

CVE-2026-6708: HEL Online Classroom: AI-powered Online Classrooms <= 1.0.3 - Missing Authorization to Unauthenticated Arbitrary Classroom Deletion via 'id' Parameter

Vendor Higheredlab
Product HEL Online Classroom: AI-powered Online Classrooms
Weakness CWE-862 · Missing authorization
Published May 12, 2026
Last update May 12, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The HEL Online Classroom: AI-powered Online Classrooms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.3. This is due to a missing capability check on a REST API endpoint registered with a permission_callback of '__return_true', which bypasses all WordPress authentication and authorization checks. This makes it possible for unauthenticated attackers to delete any classroom record by supplying its ID in the request, resulting in permanent data loss.

Explanation of Vulnerability in Simple Terms

02Summary

HEL Online Classroom versions up to 1.0.3 lack proper authorization checks, allowing unauthenticated attackers to modify data on the platform. The vulnerability requires only network access and no user interaction. An attacker can alter information without needing valid credentials or victim involvement.

What an attacker can do

03Attacker Capabilities

Modify data on the platform without authentication.

Potential impact on your site

04Site Impact

Unauthorized users can alter classroom data, course content, or other platform information without logging in.

Conditions required to exploit

05Prerequisites

Network access to the application; no authentication or user interaction required.

Key dates

06Disclosure timeline

May 12, 2026 CVE published
May 12, 2026 Record updated

Related vulnerabilities

08Related CVE