Atomic Edge analysis of CVE-2026-23799:
The vulnerability is a missing authorization check in the Tutor LMS WordPress plugin versions up to 3.9.5. This allows authenticated attackers with Subscriber-level access or higher to perform unauthorized actions. The CVSS score of 4.3 indicates a medium severity vulnerability with limited impact scope.

Atomic Edge research identifies the root cause in the `delete_course` function within the `Course` class. The function at `/tutor/classes/Course.php` lacks a capability check before processing builder-specific cleanup operations. The diff shows the vulnerable code path starts at line 1174, where the function handles different page builder types. The function executes `delete_post_meta` and `wp_update_post` operations without verifying the user has permission to modify the course. The missing authorization check occurs before the builder-specific logic executes.

Attackers exploit this vulnerability by sending a POST request to the WordPress admin-ajax.php endpoint with the `action` parameter set to `tutor_delete_course`. The request must include a valid `course_id` parameter and a `builder` parameter. Subscriber-level authenticated users can specify any valid course ID and builder type to trigger unauthorized metadata deletion or post content modification. The exploit requires a valid WordPress nonce, which Subscriber users can obtain through normal plugin interaction.

The patch adds a capability check in the `delete_course` function. Atomic Edge analysis confirms the fix implements `tutor_utils()->check_current_user_capability()` at the beginning of the function. This function verifies the user has appropriate permissions before processing any course deletion operations. The patch ensures only users with proper course editing privileges can execute builder-specific cleanup. The before behavior allowed any authenticated user to trigger the function, while the after behavior restricts access to authorized users only.

The vulnerability enables authenticated attackers to modify course metadata and content. Successful exploitation could disrupt course functionality by removing builder-specific settings or altering post content. Attackers could degrade course presentation or interfere with page builder integrations. The impact is limited to data modification rather than privilege escalation or remote code execution.