Vulnerability-Lookup

FKIE_CVE-2026-6965

Vulnerability from fkie_nvd - Published: 2026-05-13 06:16 - Updated: 2026-05-13 14:43

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin's sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor's course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q&A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content.

References

	URL	Tags
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L294
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L507
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L586
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Announcements.php#L105
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1997
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2045
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L186
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L243
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L341
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L219
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L297
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L339
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1007
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1041
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L888
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L7829
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L8020
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L294
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L507
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L586
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Announcements.php#L105
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L1997
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L2045
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L186
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L243
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L341
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L219
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L297
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L339
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1007
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1041
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L888
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L7829
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L8020
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L294
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L507
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L586
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Announcements.php#L105
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1997
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2045
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L186
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L243
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L341
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L219
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L297
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L339
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1007
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1041
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L888
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L7829
	security@wordfence.com	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L8020
	security@wordfence.com	https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3518400%40tutor&new=3518400%40tutor&sfp_email=&sfph_mail=
	security@wordfence.com	https://www.wordfence.com/threat-intel/vulnerabilities/id/55924ea3-373c-4297-a958-5670def1f6c0?source=cve

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin\u0027s sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor\u0027s course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q\u0026A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content."
    }
  ],
  "id": "CVE-2026-6965",
  "lastModified": "2026-05-13T14:43:46.717",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "security@wordfence.com",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-05-13T06:16:15.087",
  "references": [
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L294"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L507"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L586"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Announcements.php#L105"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1997"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2045"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L186"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L243"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L341"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L219"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L297"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L339"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1007"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1041"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L888"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L7829"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L8020"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L294"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L507"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L586"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Announcements.php#L105"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L1997"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L2045"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L186"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L243"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L341"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L219"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L297"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L339"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1007"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1041"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L888"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L7829"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L8020"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L294"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L507"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L586"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Announcements.php#L105"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1997"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2045"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L186"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L243"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L341"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L219"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L297"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L339"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1007"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1041"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L888"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L7829"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L8020"
    },
    {
      "source": "security@wordfence.com",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3518400%40tutor\u0026new=3518400%40tutor\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "source": "security@wordfence.com",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/55924ea3-373c-4297-a958-5670def1f6c0?source=cve"
    }
  ],
  "sourceIdentifier": "security@wordfence.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "security@wordfence.com",
      "type": "Primary"
    }
  ]
}

CVE-2026-6965 (GCVE-0-2026-6965)

Vulnerability from cvelistv5 – Published: 2026-05-13 05:29 – Updated: 2026-05-13 10:20

Title

Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter

Summary

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key

Assigner

Wordfence

References

53 references

URL	Tags
https://www.wordfence.com/threat-intel/vulnerabil…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/browser/tutor/…
https://plugins.trac.wordpress.org/changeset?sfp_…

Impacted products

1 product

Vendor	Product	Version
themeum	Tutor LMS – eLearning and online course solution	Affected: 0 , ≤ 3.9.9 (semver)

Credits

molten bit

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-6965",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T10:05:51.578265Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T10:20:41.926Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Tutor LMS \u2013 eLearning and online course solution",
          "vendor": "themeum",
          "versions": [
            {
              "lessThanOrEqual": "3.9.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "molten bit"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin\u0027s sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor\u0027s course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q\u0026A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T05:29:37.082Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/55924ea3-373c-4297-a958-5670def1f6c0?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L7829"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L7829"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L8020"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L8020"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L341"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L341"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1041"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1041"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2045"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L2045"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L586"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L586"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Announcements.php#L105"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Announcements.php#L105"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L219"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L219"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L297"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L297"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L294"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L294"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L243"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L243"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1997"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L1997"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L507"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L507"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L888"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L888"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L339"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L339"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L186"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L186"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1007"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1007"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L7829"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L8020"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L341"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1041"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2045"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L586"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Announcements.php#L105"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L219"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L297"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L294"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L243"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1997"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L507"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L888"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L339"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L186"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1007"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3518400%40tutor\u0026new=3518400%40tutor\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-04-24T16:17:05.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-05-12T17:18:06.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Tutor LMS \u003c= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via \u0027course\u0027 GET Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-6965",
    "datePublished": "2026-05-13T05:29:37.082Z",
    "dateReserved": "2026-04-24T16:01:40.686Z",
    "dateUpdated": "2026-05-13T10:20:41.926Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

FKIE_CVE-2026-6965

CVE-2026-6965 (GCVE-0-2026-6965)

Tags

Sightings

Nomenclature