CVE-2026-0548 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Tutor LMS plugin for WordPress, a popular eLearning and online course management solution. The vulnerability arises from the delete_existing_user_photo function, which fails to perform adequate capability checks before allowing deletion of user attachments. This missing authorization check enables any authenticated user with subscriber-level privileges or higher to delete arbitrary attachments on the WordPress site, potentially including course materials, user-uploaded files, or other critical content. The vulnerability affects all versions up to and including 3.9.4. The CVSS 3.1 base score is 5.4 (medium severity), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and impacts integrity and availability but not confidentiality. Exploitation could disrupt eLearning operations by removing essential files, causing data loss or service degradation. No patches or exploits are currently publicly available, but the risk remains significant due to the ease of exploitation and the broad user base of the plugin. The vulnerability highlights the importance of proper authorization checks in web application functions that modify or delete resources. Organizations relying on Tutor LMS should monitor for updates from the vendor and implement compensating controls in the interim.

For European organizations, the vulnerability could lead to unauthorized deletion of critical attachments such as course content, user submissions, or multimedia resources hosted on Tutor LMS-powered WordPress sites. This may result in operational disruption, loss of educational materials, and degraded user experience for students and educators. The integrity and availability of eLearning platforms could be compromised, potentially affecting compliance with data retention policies and contractual obligations. Organizations in sectors like education, corporate training, and public institutions that use Tutor LMS are particularly vulnerable. The ease of exploitation by low-privilege authenticated users increases the risk of insider threats or compromised accounts being leveraged to cause damage. While confidentiality is not directly impacted, the loss of data availability and integrity could have cascading effects on organizational reputation and continuity of learning services.

1. Monitor the vendor’s official channels for patches addressing CVE-2026-0548 and apply updates promptly once released. 2. Until patches are available, restrict subscriber-level permissions to the minimum necessary, removing any unnecessary capabilities that might allow attachment deletion. 3. Implement additional access controls or plugins that enforce stricter authorization checks on file deletion operations within WordPress. 4. Audit and monitor logs for unusual attachment deletion activities, especially from subscriber or low-privilege accounts. 5. Educate administrators and users about the risk and encourage strong authentication practices to reduce the risk of account compromise. 6. Consider isolating critical eLearning content storage from the WordPress environment or using external content delivery networks with stricter access controls. 7. Regularly back up all site content, including attachments, to enable rapid restoration in case of unauthorized deletions. 8. Review and harden WordPress security configurations and user role assignments to minimize attack surface.