CVE-2026-1375

8.1 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows authenticated attackers with Tutor Instructor-level access or higher to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests. It affects all Tutor LMS WordPress plugin versions up to and including 3.9.5.

💻 Affected Systems

Products:
  • Tutor LMS – eLearning and online course solution plugin for WordPress
Versions: All versions up to and including 3.9.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access with Tutor Instructor role or higher. WordPress multisite installations are also affected.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious instructors could delete or modify all courses on the platform, disrupting the entire e-learning operation and causing data loss.

🟠

Likely Case

Instructors abusing their privileges to delete competitors' courses or modify content they shouldn't have access to.

🟢

If Mitigated

With proper authorization checks, only course owners can manage their own courses, preventing unauthorized modifications.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward via HTTP request manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.6 or later

Vendor Advisory: https://wordpress.org/plugins/tutor/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Tutor LMS and click 'Update Now'. 4. Verify update to version 3.9.6 or higher.

🔧 Temporary Workarounds

Restrict Instructor Access

all

Temporarily remove Tutor Instructor roles from untrusted users until patching.

Web Application Firewall Rule

all

Block bulk action requests containing course IDs not owned by the requesting user.

🧯 If You Can't Patch

  • Implement strict user role auditing and monitoring for all Tutor Instructor accounts.
  • Enable comprehensive logging of all course modification activities and review regularly.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Tutor LMS version. If version is 3.9.5 or lower, you are vulnerable.

Check Version:

wp plugin get tutor --field=version

Verify Fix Applied:

After updating, verify version is 3.9.6 or higher in WordPress admin plugins page.

📡 Detection & Monitoring

Log Indicators:

  • Multiple course deletion/modification requests from single instructor accounts
  • Bulk action requests with non-sequential course IDs

Network Indicators:

  • HTTP POST requests to /wp-admin/admin-ajax.php with action parameters: course_list_bulk_action, bulk_delete_course, update_course_status

SIEM Query:

source="wordpress" AND (action="course_list_bulk_action" OR action="bulk_delete_course" OR action="update_course_status") AND user_role="tutor_instructor"

📊 Metadata

CVE ID: CVE-2026-1375
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CWE: CWE-639
Published: February 3, 2026
Last Updated: February 5, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1375, you might also want to check these:

CVE-2020-37094 9.8

EspoCRM 5.8.5 contains an authentication bypass vulnerability that allows attackers to access other ...

Same vulnerability type (CWE-639)
CVE-2025-14998 9.8

The Branda WordPress plugin has an authentication bypass vulnerability that allows unauthenticated a...

Same vulnerability type (CWE-639)
CVE-2026-24773 7.5

CVE-2026-24773 is an Insecure Direct Object Reference (IDOR) vulnerability in Open eClass (formerly ...

Same vulnerability type (CWE-639)