📄 WordPress Tutor LMS 3.9.5 Insecure Direct Object Reference

# CVE-2026-1375: Authenticated IDOR / Broken Access Control in Tutor LMS Plugin
    
    > **Disclaimer:** This repository is created for **educational purposes and ethical disclosure only**. The vulnerability has been responsibly reported to the vendor and patched. Do not use this information to exploit systems without proper authorization.
    
    ## Summary
    
    **Insecure Direct Object Reference (IDOR) / Broken Access Control** vulnerability was discovered in the **Tutor LMS** plugin for WordPress (versions <= 3.9.5). This flaw allows a low-privileged user with the **Tutor Instructor** role to perform unauthorized bulk actions, such as changing the publication status or permanently deleting courses owned by other instructors or administrators.
    
    By intercepting a legitimate backend request and tampering with the course ID parameter, an attacker can bypass intended access controls. In a real-world scenario, this allows malicious actors to sabotage competitor courses on a multi-instructor marketplace, causing direct business disruption, revenue loss, and reputational damage.
    
    ## Vulnerability Overview
    
    * **CVE ID:** CVE-2026-1375
    * **Product:** Tutor LMS (WordPress Plugin)
    * **Affected Versions:** `<= 3.9.5`
    * **Patched Versions:** `3.9.6`
    * **Vulnerability Type:** Insecure Direct Object Reference (IDOR) / Broken Access Control (CWE-284)
    * **Required Privileges:** Authenticated (Tutor Instructor)
    
    ## Root Cause
    
    The core issue stems from **missing object-level authorization checks** within the plugin's bulk action handler.
    
    **File:** `tutor/classes/Course_List.php`
    **Function:** `course_list_bulk_action()`
    
    **1. Unvalidated Object Identifiers:**
    The function accepts user-controlled inputs (`bulk-action` and `bulk-ids`) directly from the HTTP request. While the plugin verifies that the user holds a general capability to manage courses, it entirely fails to verify per-course ownership for the specific IDs supplied in the `bulk-ids` array.
    
    **2. Execution Without Ownership Verification:**
    When the status update path (`update_course_status()`) or the deletion path (`bulk_delete_course()`) is triggered, the code iterates over the attacker-supplied IDs. It executes database operations (e.g., updating `cp_posts.post_status`) using a `WHERE ID IN (...)` clause without appending a condition to ensure `$post_author == $current_user_id`.
    
    Because the handler does not enforce object-level authorization, any instructor with access to the bulk action workflow can manipulate arbitrary course IDs.
    
    ## Business Impact
    
    * **Business Disruption:** Victim courses can be taken offline (moved to trash, draft, or private) without consent, removing them from public listings.
    * **Revenue Loss:** On multi-instructor platforms or marketplaces, hiding a competitor's course directly impacts their enrollments and income.
    * **Data Destruction:** If the bulk delete feature is accessible, an attacker could permanently erase course content that does not belong to them.
    
    ## Proof of Concept (PoC)
    
    The following steps demonstrate how an authenticated Tutor Instructor can change the status of another instructor's course.
    
    ### Manual Exploitation Steps
    
    1. **Prerequisites:** 
       * Log in to the WordPress dashboard as a **Tutor Instructor** (Attacker).
       * Identify the target `course_id` belonging to another instructor (Victim). (e.g., ID: 27).
    2. **Trigger Action:** Navigate to the Tutor LMS course list (`/wp-admin/admin.php?page=tutor`). Select any course you own, choose a status change action (e.g., set to "draft"), and click "Apply".
    3. **Intercept Request:** Use a proxy tool like Burp Suite to intercept the outbound `POST` request to `/wp-admin/admin-ajax.php`.
    4. **Payload Modification:** 
       * Change the `status` parameter to `trash` (or `pending`, `private`).
       * Change the `id` parameter from your course ID to the Victim's course ID (`27`).
    5. **Execution:** Forward the modified request.
    6. **Result:** The server responds with `{"success":true}`. The victim's course is successfully moved to the trash and disappears from the public frontend.
    
    ## Timeline
    
    * **Date (2026-01-23):** Reported to Wordfence.
    * **Date (2026-02-03):** Vulnerability patched / Public disclosure.
    
    ## References & Credits
    
    * [Wordfence Vulnerability Database](https://www.wordfence.com/threat-intel/vulnerabilities/id/4e95b32b-c050-41eb-8fce-461257420eb6)
    * [CVE-2026-1375 on NVD](https://www.cve.org/CVERecord?id=CVE-2026-1375)
    * [MyRewards Plugin on WordPress.org](https://wordpress.org/plugins/tutor/)