– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-1375:
This vulnerability is an Insecure Direct Object Reference (IDOR) in the Tutor LMS WordPress plugin affecting versions up to and including 3.9.5. The vulnerability allows authenticated attackers with Tutor Instructor-level permissions or higher to modify or delete arbitrary courses they do not own. The issue stems from missing object-level authorization checks in bulk action functions, leading to unauthorized course manipulation.

Atomic Edge research identifies the root cause in the `course_list_bulk_action()` function within `/tutor/classes/Course_List.php`. The function processes bulk actions for courses but lacks verification that the submitted course IDs belong to the current user. Specifically, lines 291-302 in the vulnerable version check only for user capabilities (`edit_tutor_course`) and site-wide publishing permissions (`instructor_can_publish_course`), but never validate ownership of the courses referenced in the `$bulk_ids` parameter. This allows instructors to submit arbitrary course IDs they do not own.

The exploitation method requires an authenticated attacker with Tutor Instructor privileges. The attacker sends a POST request to the WordPress admin-ajax.php endpoint with the action parameter set to `tutor_course_list_bulk_action`. The request includes a `bulk_action` parameter (such as `delete` or `publish`) and a `bulk_ids` parameter containing comma-separated course IDs that the attacker does not own. The plugin processes these IDs without ownership verification, executing the requested bulk action on unauthorized courses.

The patch adds authorization checks in the `course_list_bulk_action()` function. Lines 290-321 in the patched version introduce a new validation step: after capability checks, the function explodes the `$bulk_ids` string into an array, filters it using `tutor_utils()->is_instructor_of_this_course()` to retain only courses owned by the current user, then re-implodes the filtered array. This ensures instructors can only perform bulk actions on their own courses. The fix maintains existing capability checks while adding the missing ownership verification.

Successful exploitation allows attackers to delete or modify any course on the platform, regardless of ownership. This can lead to complete course takedowns, unauthorized content changes, or disruption of the learning platform. While the vulnerability requires Instructor-level access, many Tutor LMS implementations grant this role to multiple users, increasing the attack surface. The CVSS 8.1 score reflects the high impact on confidentiality, integrity, and availability of course data.