CVE-2026-0548
📋 TL;DR
This vulnerability allows authenticated WordPress users with subscriber-level access or higher to delete arbitrary attachments on sites running vulnerable Tutor LMS plugin versions. Attackers can delete important media files, course materials, or other uploaded content without proper authorization.
💻 Affected Systems
- Tutor LMS – eLearning and online course solution for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Critical course materials, certificates, or important site media are permanently deleted, disrupting eLearning operations and potentially causing data loss.
Likely Case
Malicious users delete course attachments, images, or documents, causing minor to moderate disruption to course content.
If Mitigated
With proper user access controls and monitoring, impact is limited to authorized deletions only.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.5
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?old_path=/tutor/tags/3.9.4/classes/User.php&new_path=/tutor/tags/3.9.5/classes/User.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Tutor LMS plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.9.5+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Capability Restriction
allTemporarily restrict subscriber-level users from accessing attachment management functions using WordPress role management plugins.
Plugin Deactivation
allTemporarily deactivate Tutor LMS plugin if not immediately needed for site functionality.
🧯 If You Can't Patch
- Implement strict user access controls and monitor user activity logs for suspicious attachment deletions.
- Regularly backup WordPress media library and implement file integrity monitoring for uploads directory.
🔍 How to Verify
Check if Vulnerable:
Check Tutor LMS plugin version in WordPress admin panel under Plugins → Installed Plugins.Check Version:
wp plugin list --name=tutor --field=versionVerify Fix Applied:
Confirm plugin version is 3.9.5 or higher after update.📡 Detection & Monitoring
Log Indicators:
- Unusual attachment deletion events in WordPress logs
- Multiple delete requests from subscriber-level users
- Suspicious wp-admin/admin-ajax.php requests with delete_existing_user_photo action
Network Indicators:
- POST requests to admin-ajax.php with delete attachment parameters from non-admin users
SIEM Query:
source="wordpress" AND (action="delete_attachment" OR "delete_existing_user_photo") AND user_role="subscriber"