AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2026-1375: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Refere

highvulnerability

security

Source: NVD/CVE DatabaseFebruary 3, 2026CVE-2026-1375

Summary

The Tutor LMS plugin for WordPress has a security flaw called IDOR (insecure direct object references, where an attacker can access or change data belonging to other users by guessing or manipulating identifiers) in versions up to 3.9.5. Attackers with instructor-level access can modify or delete courses they don't own by changing course ID numbers in bulk action requests, because the plugin doesn't properly check who owns each course.

Vulnerability Details

CVSS Score

8.1(high)

EPSS (30-day exploit probability)

EPSS: 0.1%

Classification

Attack SophisticationTrivial

Taxonomy References

CWE (Weakness Type)

CWE-639

Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-1375

First tracked: February 15, 2026 at 08:37 PM

Classified by LLM (prompt v3) · confidence: 95%