CVE-2026-1375 is an authorization bypass vulnerability in the Tutor LMS plugin for WordPress, affecting all versions up to 3.9.5. The root cause is the lack of proper object-level authorization checks in the functions course_list_bulk_action(), bulk_delete_course(), and update_course_status(). These functions handle bulk operations on courses, but fail to verify that the authenticated user has ownership or permission to modify the specified course IDs. As a result, an attacker with Tutor Instructor-level privileges or higher can manipulate the course ID parameters in bulk action requests to modify or delete arbitrary courses they do not own. This constitutes an Insecure Direct Object Reference (IDOR) vulnerability, categorized under CWE-639. The vulnerability requires the attacker to be authenticated with at least Instructor-level access, but does not require further user interaction. The CVSS v3.1 score is 8.1 (High), reflecting network attack vector, low attack complexity, privileges required, no user interaction, unchanged scope, no confidentiality impact, but high integrity and availability impact. No public exploit code or active exploitation has been reported yet. The vulnerability poses a significant risk to the integrity and availability of course content in affected Tutor LMS deployments, potentially allowing unauthorized course deletions or status changes.

The primary impact of CVE-2026-1375 is unauthorized modification or deletion of course content within Tutor LMS installations. This can disrupt eLearning services by removing or altering courses, leading to loss of educational material and interruption of learning activities. The integrity of course data is compromised, which can undermine trust in the platform. Availability is also affected as courses may become inaccessible or deleted. Since the vulnerability requires authenticated access at Instructor-level or above, attackers must already have some level of privilege, but can escalate damage by affecting courses beyond their ownership. Organizations relying on Tutor LMS for critical training or educational delivery may face operational disruptions, reputational damage, and potential compliance issues if course data is lost or manipulated. The lack of confidentiality impact reduces risk of data leakage, but the high integrity and availability impact still make this a serious threat.

To mitigate CVE-2026-1375, organizations should immediately upgrade Tutor LMS to a patched version once released by the vendor. Until a patch is available, administrators should restrict Instructor-level privileges to trusted users only and audit existing user roles to minimize risk. Implement strict monitoring and logging of bulk course actions to detect anomalous or unauthorized modifications. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious bulk action requests manipulating course IDs. Consider disabling bulk course management features if not essential. Regularly review and enforce the principle of least privilege for all LMS users. Additionally, conduct penetration testing and code reviews focusing on authorization checks in custom LMS plugins or integrations. Maintain backups of course data to enable recovery in case of unauthorized deletions. Finally, educate LMS administrators and instructors about the risks of privilege misuse and suspicious activity.