CVE-2026-1375
Published: 03 February 2026
Summary
CVE-2026-1375 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations for access to resources, directly addressing the missing object-level checks in course bulk action functions.
AC-24 requires explicit access control decisions for specific resources like courses, preventing manipulation of arbitrary course IDs by unauthorized instructors.
AC-6 least privilege restricts instructor access to only owned courses, mitigating unauthorized modifications even if coarse role permissions exist.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in public-facing WordPress plugin directly enables exploitation for privilege escalation (T1068) and public app exploitation (T1190); facilitates arbitrary course deletion (T1485) and stored data manipulation (T1565.001).
NVD Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`,…
more
and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests.
Deeper analysisAI
CVE-2026-1375 is an Insecure Direct Object Reference (IDOR) vulnerability, mapped to CWE-639, affecting the Tutor LMS eLearning and online course solution plugin for WordPress in all versions up to and including 3.9.5. The flaw arises from missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions within the `classes/Course_List.php` file, allowing unauthorized manipulation of course data.
Authenticated attackers possessing Tutor Instructor-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction. By manipulating course IDs in bulk action requests, they can modify or delete arbitrary courses they do not own, potentially disrupting eLearning platforms. The issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), reflecting high integrity and availability impacts.
Advisories reference the vulnerable code at specific lines in the plugin's WordPress trac repository for tag 3.9.5—lines 289, 437, and 463 of `Course_List.php`—along with changeset 3448615 in the trunk, which includes changes to `Course_List.php` addressing the authorization gaps. Further details on detection and impacts are provided in Wordfence's threat intelligence entry.
Details
- CWE(s)