The researcher reported an Insecure Direct Object Reference (IDOR) allowing an attacker to extract information about Learning Groups which is disclosed to only paid subscribers of the course.