CVE-2026-6965— Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter

Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion via 'course' GET Parameter

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin's sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor's course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q&A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

通过用户控制密钥绕过授权机制

WordPress plugin Tutor LMS 安全漏洞

WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台具有在基于PHP和MySQL的服务器上架设个人博客网站的功能。WordPress plugin是一个应用插件。 WordPress plugin Tutor LMS 3.9.9及之前版本存在安全漏洞，该漏洞源于不安全的直接对象引用，get_course_id_by()函数无条件信任用户提供的course参数，导致认证攻击者可对其他讲师课程内容执行未授权操作。

N/A

N/A