Tutor LMS Insecure Direct Object Reference Vulnerability Allowing Unauthorized Course Modification and Deletion

A vulnerability allowing Insecure Direct Object References (IDOR) has been identified in the Tutor LMS WordPress plugin, affecting all versions through 3.9.5. The issue arises from a lack of proper authorization checks in several functions, including 'course_list_bulk_action()', 'bulk_delete_course()', and 'update_course_status()'. This vulnerability enables authenticated users with Tutor Instructor-level access or higher to manipulate course IDs in bulk action requests, potentially leading to unauthorized modification or deletion of courses they do not own.

Impact

Exploitation of this vulnerability allows for arbitrary modification or deletion of courses by unauthorized users with Instructor-level access.

Reproduction

To reproduce this vulnerability, an authenticated user with Tutor Instructor-level access can send a bulk action request through the WordPress admin interface. By manipulating the course IDs included in the request, it is possible to delete or modify courses that the user does not own.

Remediation

Users are advised to update the Tutor LMS plugin to version 3.9.6 or later.