AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-6965: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Refere

mediumvulnerability

security

Source: NVD/CVE DatabaseMay 13, 2026CVE-2026-6965

Summary

The Tutor LMS plugin for WordPress (versions up to 3.9.9) has a vulnerability where it trusts user input (IDOR, or insecure direct object reference, which happens when an app doesn't properly check if a user should access data before showing it). An authenticated instructor can manipulate a parameter to gain unauthorized access to other instructors' courses and perform damaging actions like deleting lessons, quizzes, and student data, or modifying grades.

Vulnerability Details

CVSS Score

5.3(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

network

Attack Complexity

low

Privileges Required

none

User Interaction

none

Disclosure Date

May 13, 2026

Classification

Attack SophisticationModerate

Taxonomy References

CWE (Weakness Type)

CWE-639

Monthly digest — independent AI security research

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-6965

First tracked: May 13, 2026 at 08:10 PM

Classified by LLM (prompt v3) · confidence: 95%