Vulnerability Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.
- https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.
- https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.
- https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/classes/Course_
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4e95b32b-c050-41eb-8fc
FAQ
What is CVE-2026-1375?
CVE-2026-1375 is a vulnerability with a CVSS score of 8.1 (HIGH). The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing ...
How severe is CVE-2026-1375?
CVE-2026-1375 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-1375?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.