CVE-2026-6965 (GCVE-0-2026-6965)
Vulnerability from cvelistv5 – Published: 2026-05-13 05:29 – Updated: 2026-05-13 10:20
VLAI?
Title
Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter
Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin's sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor's course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q&A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content.
Severity ?
5.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
53 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution |
Affected:
0 , ≤ 3.9.9
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6965",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T10:05:51.578265Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T10:20:41.926Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS \u2013 eLearning and online course solution",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "3.9.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "molten bit"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin\u0027s sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor\u0027s course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q\u0026A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T05:29:37.082Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/55924ea3-373c-4297-a958-5670def1f6c0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L7829"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L7829"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L8020"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L8020"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L341"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L341"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1041"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1041"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2045"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L2045"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L586"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L586"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Announcements.php#L105"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Announcements.php#L105"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L219"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L219"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L297"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L297"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L294"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L294"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L243"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L243"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1997"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L1997"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L507"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L507"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L888"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L888"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L339"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L339"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L186"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L186"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1007"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1007"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L7829"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L8020"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L341"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1041"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2045"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L586"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Announcements.php#L105"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L219"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L297"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L294"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L243"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1997"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L507"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L888"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L339"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L186"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1007"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3518400%40tutor\u0026new=3518400%40tutor\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-24T16:17:05.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-12T17:18:06.000Z",
"value": "Disclosed"
}
],
"title": "Tutor LMS \u003c= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via \u0027course\u0027 GET Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6965",
"datePublished": "2026-05-13T05:29:37.082Z",
"dateReserved": "2026-04-24T16:01:40.686Z",
"dateUpdated": "2026-05-13T10:20:41.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-6965",
"date": "2026-05-17",
"epss": "0.00042",
"percentile": "0.12864"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-6965\",\"sourceIdentifier\":\"security@wordfence.com\",\"published\":\"2026-05-13T06:16:15.087\",\"lastModified\":\"2026-05-13T14:43:46.717\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin\u0027s sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor\u0027s course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q\u0026A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security@wordfence.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"references\":[{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L294\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L507\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L586\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Announcements.php#L105\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1997\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2045\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L186\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L243\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L341\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L219\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L297\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L339\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1007\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1041\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L888\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L7829\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L8020\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L294\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L507\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L586\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Announcements.php#L105\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L1997\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L2045\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L186\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L243\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L341\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L219\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L297\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L339\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1007\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1041\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L888\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L7829\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L8020\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L294\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L507\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L586\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Announcements.php#L105\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1997\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2045\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L186\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L243\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L341\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L219\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L297\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L339\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1007\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1041\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L888\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L7829\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L8020\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3518400%40tutor\u0026new=3518400%40tutor\u0026sfp_email=\u0026sfph_mail=\",\"source\":\"security@wordfence.com\"},{\"url\":\"https://www.wordfence.com/threat-intel/vulnerabilities/id/55924ea3-373c-4297-a958-5670def1f6c0?source=cve\",\"source\":\"security@wordfence.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-6965\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-13T10:05:51.578265Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-13T10:18:23.776Z\"}}], \"cna\": {\"title\": \"Tutor LMS \u003c= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via \u0027course\u0027 GET Parameter\", \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"molten bit\"}], \"metrics\": [{\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\"}}], \"affected\": [{\"vendor\": \"themeum\", \"product\": \"Tutor LMS \\u2013 eLearning and online course solution\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"3.9.9\"}], \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-04-24T16:17:05.000Z\", \"value\": \"Vendor Notified\"}, {\"lang\": \"en\", \"time\": \"2026-05-12T17:18:06.000Z\", \"value\": \"Disclosed\"}], \"references\": [{\"url\": \"https://www.wordfence.com/threat-intel/vulnerabilities/id/55924ea3-373c-4297-a958-5670def1f6c0?source=cve\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L7829\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L7829\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L8020\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L8020\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L341\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L341\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1041\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1041\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2045\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L2045\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L586\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L586\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Announcements.php#L105\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Announcements.php#L105\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L219\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L219\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L297\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L297\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L294\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L294\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L243\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L243\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1997\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L1997\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L507\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L507\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L888\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L888\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L339\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L339\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L186\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L186\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1007\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1007\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L7829\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L8020\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L341\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1041\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2045\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L586\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Announcements.php#L105\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L219\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L297\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L294\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L243\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1997\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L507\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L888\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L339\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L186\"}, {\"url\": \"https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1007\"}, {\"url\": \"https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3518400%40tutor\u0026new=3518400%40tutor\u0026sfp_email=\u0026sfph_mail=\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"The Tutor LMS \\u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin\u0027s sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor\u0027s course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q\u0026A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639 Authorization Bypass Through User-Controlled Key\"}]}], \"providerMetadata\": {\"orgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"shortName\": \"Wordfence\", \"dateUpdated\": \"2026-05-13T05:29:37.082Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-6965\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-13T10:20:41.926Z\", \"dateReserved\": \"2026-04-24T16:01:40.686Z\", \"assignerOrgId\": \"b15e7b5b-3da4-40ae-a43c-f7aa60e62599\", \"datePublished\": \"2026-05-13T05:29:37.082Z\", \"assignerShortName\": \"Wordfence\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…