📄 Description (English)
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests.
🤖 AI Executive Summary
Tutor LMS WordPress plugin versions up to 3.9.5 contain critical IDOR vulnerabilities in bulk action functions, allowing authenticated instructors to modify or delete courses they don't own. This affects educational institutions and e-learning platforms across Saudi Arabia that rely on this plugin for course management. Immediate patching is essential to prevent unauthorized course manipulation and data loss.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 26, 2026 04:48
🇸🇦 Saudi Arabia Impact Assessment
High impact on Saudi educational sector including universities, vocational training centers, and private e-learning platforms using Tutor LMS. Ministry of Education institutions and ARAMCO training divisions utilizing this plugin face risks of course sabotage, unauthorized content modification, and loss of intellectual property. Government agencies providing online training through WordPress-based platforms are also vulnerable. The vulnerability enables insider threats from disgruntled instructors to compromise course integrity and student learning outcomes.
🏢 Affected Saudi Sectors
Education (Universities, Vocational Training)
Government (Ministry of Education, Training Centers)
Energy (ARAMCO Training Programs)
Healthcare (Medical Training Institutions)
Telecommunications (STC Training Platforms)
Private Sector (Corporate Training)
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
1. IMMEDIATE: Update Tutor LMS plugin to version 3.9.6 or later immediately across all WordPress installations
2. VERIFICATION: Audit course modification logs for unauthorized changes since plugin deployment; review instructor access patterns
3. ACCESS CONTROL: Implement role-based access controls (RBAC) limiting bulk action permissions to administrators only; restrict instructor bulk operations
4. DETECTION: Monitor for suspicious bulk action requests via WordPress audit logs; alert on course deletions/modifications by non-owners
5. COMPENSATING CONTROL: If immediate patching impossible, disable bulk action functionality via plugin settings or code modification
6. BACKUP: Ensure daily course database backups are in place for recovery from unauthorized deletions
7. REVIEW: Audit all instructor accounts for suspicious activity; revoke access for terminated staff immediately
🔧 خطوات المعالجة (العربية)
1. فوري: تحديث مكون Tutor LMS إلى الإصدار 3.9.6 أو أحدث فورًا عبر جميع تثبيتات WordPress
2. التحقق: تدقيق سجلات تعديل الدورات للتغييرات غير المصرح بها منذ نشر المكون؛ مراجعة أنماط وصول المدرب
3. التحكم في الوصول: تنفيذ التحكم في الوصول القائم على الأدوار (RBAC) يقيد أذونات الإجراء الجماعي للمسؤولين فقط؛ تقييد عمليات المدرب الجماعية
4. الكشف: مراقبة طلبات الإجراء الجماعي المريبة عبر سجلات تدقيق WordPress؛ التنبيه عند حذف/تعديل الدورات من قبل غير المالكين
5. التحكم التعويضي: إذا كان التصحيح الفوري مستحيلًا، قم بتعطيل وظيفة الإجراء الجماعي عبر إعدادات المكون أو تعديل الكود
6. النسخ الاحتياطية: التأكد من وجود نسخ احتياطية يومية لقاعدة بيانات الدورات للاسترجاع من الحذف غير المصرح
7. المراجعة: تدقيق جميع حسابات المدرب للنشاط المريب؛ إلغاء الوصول للموظفين المنتهية خدمتهم فورًا
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.9.2.1 - User access management and authorization controls
ECC 2024 A.9.4.3 - Access control for information systems
ECC 2024 A.12.4.1 - Event logging and monitoring
ECC 2024 A.14.2.1 - Secure development and change management
🔵 SAMA CSF
SAMA CSF ID.AC-1 - Access Control Policy and Procedures
SAMA CSF PR.AC-1 - Identities and credentials are issued, managed, verified, revoked and audited
SAMA CSF DE.AE-1 - A baseline of network operations and expected data flows for users and systems is established and managed
SAMA CSF DE.CM-1 - The network is monitored to detect potential cybersecurity events
🟡 ISO 27001:2022
ISO 27001:2022 A.5.3 - Segregation of duties
ISO 27001:2022 A.8.2 - User registration and de-registration
ISO 27001:2022 A.9.2 - User access management
ISO 27001:2022 A.9.4 - Access control
ISO 27001:2022 A.12.4 - Logging
🔗 References & Sources 5
🔗
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L289
security@wordfence.com
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L437
security@wordfence.com
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L463
security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/classes/Course_List.ph...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/4e95b32b-c050-41eb-8fce-46125...
security@wordfence.com