CVE-2026-6965 MEDIUM

CVE-2026-6965: Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter

Vendor Themeum
Product Tutor LMS – eLearning and online course solution
Weakness CWE-639 · IDOR
Published May 13, 2026
Last update May 13, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin's sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor's course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q&A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content.

Explanation of Vulnerability in Simple Terms

02Summary

Tutor LMS versions up to 3.9.9 contain an integrity vulnerability allowing network-based modification of data without authentication. The flaw requires no user interaction and affects the application's data integrity. Site administrators should update to a version newer than 3.9.9 to remediate this issue.

What an attacker can do

03Attacker Capabilities

Modify application data or content without logging in.

Potential impact on your site

04Site Impact

Course content, user data, or settings could be altered by unauthorized parties.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

May 13, 2026 CVE published
May 13, 2026 Record updated