CVE-2026-6965: IDOR in Tutor LMS – eLearning Plugin
Platform
wordpress
Component
tutor
Fixed in
3.9.10
CVE-2026-6965 describes an Insecure Direct Object Reference (IDOR) vulnerability discovered in the Tutor LMS plugin for WordPress. This flaw allows attackers to bypass authorization checks and potentially gain unauthorized access to instructor-level functionalities within the eLearning platform. The vulnerability affects versions of Tutor LMS from 0.0.0 up to and including 3.9.9, and a fix is available in version 3.9.10.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
The core of the vulnerability lies in the getcourseidby() function, which blindly trusts the course GET parameter. An attacker can craft a malicious URL with a manipulated course parameter to point to a different course than the one they are legitimately authorized to manage. This crafted URL is then processed by canuser_manage(), the plugin's authorization gate. Because the authorization check is performed against the attacker-controlled course ID, they can effectively impersonate an instructor and perform actions they shouldn't be able to. This could include modifying course content, deleting lessons, or even managing student enrollments. The blast radius extends to any course accessible through the WordPress installation, and the potential for data modification or deletion is significant.
Exploitation Context
CVE-2026-6965 was published on 2026-05-13. Its severity is currently assessed as MEDIUM. There are no known public exploits or active campaigns targeting this vulnerability at the time of writing. The vulnerability is not listed on KEV (Key Evidence Base) or has not received an EPSS (Exploit Prediction Scoring System) score. Monitor security advisories and vulnerability databases for updates on exploitation activity.
Threat Intelligence
Exploit Status
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- None — no confidentiality impact. Attacker cannot read protected data.
- Integrity
- Low — attacker can modify some data with limited scope or impact.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation for CVE-2026-6965 is to immediately upgrade the Tutor LMS plugin to version 3.9.10 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by restricting access to the getcourseid_by() function and validating the course parameter against the user's session or role. Web Application Firewalls (WAFs) can be configured to block requests with suspicious course parameters. Monitor WordPress logs for unusual activity related to course management operations, specifically looking for requests with unexpected or manipulated course IDs. After upgrading, verify the fix by attempting to access a course as a user with limited privileges and confirming that unauthorized actions are blocked.
How to fix
Update to version 3.9.10, or a newer patched version
Frequently asked questions
What is CVE-2026-6965 — IDOR in Tutor LMS?
CVE-2026-6965 is an Insecure Direct Object Reference (IDOR) vulnerability affecting Tutor LMS versions 0.0.0–3.9.9. It allows attackers to manipulate course IDs to gain unauthorized access to instructor functions.
Am I affected by CVE-2026-6965 in Tutor LMS?
Yes, if your WordPress site uses Tutor LMS version 0.0.0 through 3.9.9, you are potentially affected by this IDOR vulnerability. Upgrade immediately.
How do I fix CVE-2026-6965 in Tutor LMS?
Upgrade the Tutor LMS plugin to version 3.9.10 or later to resolve the IDOR vulnerability. If upgrading is not possible, implement temporary workarounds like restricting access to the vulnerable function.
Is CVE-2026-6965 being actively exploited?
As of the current assessment, CVE-2026-6965 is not known to be actively exploited. However, it's crucial to apply the fix promptly to prevent potential future exploitation.
Where can I find the official Tutor LMS advisory for CVE-2026-6965?
Refer to the official Tutor LMS website and WordPress plugin repository for the latest security advisories and updates related to CVE-2026-6965.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Scan your WordPress project now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...