Volerion logoVolerion
Volerion logoVolerion

HEL Online Classroom Missing Authorization Vulnerability Allows Unauthenticated Deletion of Classroom Records

Vulnerability

A vulnerability exists in the HEL Online Classroom WordPress plugin, specifically in versions up to and including 1.0.3. The issue arises from a missing authorization check on a REST API endpoint, which is registered to allow unauthenticated access. This flaw enables attackers to delete any classroom record by providing the corresponding ID, leading to permanent data loss.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of classroom records, causing irreversible data loss.

Reproduction

To reproduce this vulnerability, send a DELETE request to the '/wp-json/hel-bbb-online-classroom/v1/delete-class/' endpoint. Include the ID of the classroom to be deleted in the request. The absence of a proper authorization check will allow the deletion to proceed, even for unauthenticated users.

Remediation

No patch is currently available. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.

Added: May 12, 2026, 9:39 AM
Updated: May 12, 2026, 9:39 AM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
0.6
exploitability
8.4
remediation
0.0
relevance
8.1
threat
4.8
urgency
2.9
incentive
4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.