CVE-2026-1375 is an Insecure Direct Object Reference (IDOR) vulnerability classified under CWE-639, found in the Tutor LMS plugin for WordPress, a popular eLearning and online course management solution. The vulnerability affects all versions up to and including 3.9.5. It stems from missing object-level authorization checks in the functions course_list_bulk_action(), bulk_delete_course(), and update_course_status(). These functions handle bulk operations on courses, such as deletion or status updates. Authenticated users with Tutor Instructor-level privileges or higher can exploit this flaw by manipulating course IDs in bulk action requests to modify or delete courses they do not own. This bypasses intended access controls, leading to unauthorized modification or deletion of arbitrary courses. The vulnerability is remotely exploitable over the network, does not require user interaction, and only requires low privileges (Instructor-level access). The CVSS v3.1 score is 8.1, reflecting high impact on integrity and availability, with no impact on confidentiality. No public exploits are currently known, but the vulnerability poses a significant risk to the integrity and availability of course data in affected installations. The lack of patches at the time of reporting increases the urgency for mitigation.

For European organizations using Tutor LMS, this vulnerability can lead to unauthorized modification or deletion of course content by users who should not have such permissions. This undermines the integrity of educational content and can cause significant disruption to eLearning services, potentially impacting students, instructors, and administrative workflows. The availability of courses may be compromised if attackers delete or alter course data, leading to downtime or loss of critical educational resources. While confidentiality is not directly impacted, the loss of trust and operational disruption can have broader reputational and financial consequences. Organizations relying on Tutor LMS for compliance training or certification programs may face compliance risks if course integrity is compromised. The vulnerability is particularly concerning for institutions with multiple instructors and complex course management structures, where privilege separation is critical.

1. Immediately monitor for updates or patches from the vendor (themeum) and apply them as soon as they become available. 2. Until patches are released, restrict Tutor Instructor-level privileges to trusted users only, minimizing the number of users who can perform bulk course actions. 3. Implement additional access control mechanisms at the WordPress level, such as role-based access control plugins, to enforce stricter permissions on course management functions. 4. Audit existing courses and logs for unauthorized modifications or deletions to detect potential exploitation. 5. Consider disabling bulk course action features temporarily if feasible to reduce attack surface. 6. Educate instructors and administrators about the risk and encourage vigilance for suspicious activity. 7. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious bulk action requests that manipulate course IDs. 8. Regularly back up course data to enable recovery in case of data loss or tampering.