What the vulnerability does
01Description
The HEL Online Classroom: AI-powered Online Classrooms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.3. This is due to a missing capability check on a REST API endpoint registered with a permission_callback of '__return_true', which bypasses all WordPress authentication and authorization checks. This makes it possible for unauthenticated attackers to delete any classroom record by supplying its ID in the request, resulting in permanent data loss.
Explanation of Vulnerability in Simple Terms
02Summary
HEL Online Classroom versions up to 1.0.3 lack proper authorization checks, allowing unauthenticated attackers to modify data on the platform. The vulnerability requires only network access and no user interaction. An attacker can alter information without needing valid credentials or victim involvement.
What an attacker can do
03Attacker Capabilities
Modify data on the platform without authentication.
Potential impact on your site
04Site Impact
Unauthorized users can alter classroom data, course content, or other platform information without logging in.
Conditions required to exploit
05Prerequisites
Network access to the application; no authentication or user interaction required.
Key dates
06Disclosure timeline
May 12, 2026
CVE published
May 12, 2026
Record updated