CVE-2026-0548 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Tutor LMS plugin for WordPress, a popular eLearning and online course solution. The vulnerability exists in the delete_existing_user_photo function, which lacks proper capability checks to verify if an authenticated user has the authorization to delete attachments. As a result, any authenticated user with subscriber-level permissions or higher can delete arbitrary attachments on the affected WordPress site. This flaw compromises the integrity and availability of site content by allowing unauthorized deletion of files, potentially disrupting course materials or user data. The vulnerability affects all versions of Tutor LMS up to and including version 3.9.4. The CVSS v3.1 base score is 5.4, indicating a medium severity level, with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L, meaning the attack can be performed remotely over the network with low attack complexity, requires low privileges (authenticated user), no user interaction, and impacts integrity and availability but not confidentiality. No patches or fixes have been released at the time of publication, and no known exploits have been observed in the wild. The vulnerability is significant in environments where multiple users have subscriber or higher roles, as it allows unauthorized modification of site attachments, which could be leveraged for denial of service or content manipulation.

The impact of CVE-2026-0548 is primarily on the integrity and availability of data within WordPress sites using the Tutor LMS plugin. Unauthorized deletion of attachments can disrupt eLearning content delivery, cause loss of important course materials, and degrade user experience. Organizations relying on Tutor LMS for critical training or educational services may face operational disruptions and potential reputational damage. Since the vulnerability requires authenticated access at subscriber level or above, attackers who gain or already have such access can exploit this flaw without additional user interaction. This could facilitate insider threats or exploitation of compromised user accounts. Although confidentiality is not directly impacted, the ability to delete arbitrary attachments can lead to denial of service conditions and content tampering. The absence of known exploits reduces immediate risk, but the medium severity score and ease of exploitation warrant prompt attention. The vulnerability could also be chained with other flaws to escalate impact.

To mitigate CVE-2026-0548, organizations should immediately audit user roles and permissions within their WordPress installations to ensure that subscriber-level users are restricted appropriately and that only trusted users have authenticated access. Until an official patch is released, consider temporarily disabling the Tutor LMS plugin or restricting access to the affected functionality via custom code or security plugins that enforce capability checks on the delete_existing_user_photo function. Implement strict monitoring and alerting for unusual attachment deletion activities to detect potential exploitation attempts early. Employ web application firewalls (WAFs) with custom rules to block suspicious requests targeting the vulnerable function. Regularly back up all site content and attachments to enable recovery in case of unauthorized deletions. Stay informed about updates from the vendor and apply patches promptly once available. Additionally, enforce strong authentication mechanisms and consider multi-factor authentication to reduce the risk of compromised accounts being used to exploit this vulnerability.