CVE-2026-1375 — Authorization Bypass Through User-Controlled Key in Tutor LMS Elearning AND Online Course Solution

CWE-639 — Authorization Bypass Through User-Controlled Key4 documents4 sources

Severity

8.1HIGHNVD

EPSS

0.1%

top 81.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Themeum Tutor LMS Elearning AND Online Course Solution

Timeline

PublishedFeb 3

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulatin…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:HExploitability: 2.8 | Impact: 5.2

Affected Packages1 packages

▶CVEListV5themeum/tutor_lms_elearning_and_online_course_solution3.9.5

🔴Vulnerability Details

GHSA

GHSA-qxqc-g59m-cqx4: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up↗2026-02-03

▶

CVEList

Tutor LMS <= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion↗2026-02-03

▶

🕵️Threat Intelligence

Wiz

CVE-2026-1375 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶