CVE-2026-6965

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin's sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor's course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q&A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L294
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L507
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L586
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Announcements.php#L105
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1997
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2045
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L186
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L243
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L341
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L219
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L297
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L339
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1007
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1041
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L888
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L7829
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L8020
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L294
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L507
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L586
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Announcements.php#L105
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L1997
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L2045
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L186
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L243
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L341
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L219
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L297
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L339
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1007
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1041
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L888
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L7829
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L8020
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L294
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L507
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L586
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Announcements.php#L105
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1997
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2045
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L186
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L243
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L341
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L219
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L297
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L339
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1007
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1041
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L888
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L7829
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L8020
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3518400%40tutor&new=3518400%40tutor&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/55924ea3-373c-4297-a958-5670def1f6c0?source=cve

Configurations

No configuration.

History

13 May 2026, 14:43

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-13 06:16

Updated : 2026-05-13 14:43

NVD link : CVE-2026-6965

Mitre link : CVE-2026-6965

CVE.ORG link : CVE-2026-6965

JSON object : View

Products Affected

No product.

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

5.3 /10