HEL Online Classroom: AI-powered Online Classrooms

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Description

The HEL Online Classroom: AI-powered Online Classrooms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.3. This is due to a missing capability check on a REST API endpoint registered with a permission_callback of '__return_true', which bypasses all WordPress authentication and authorization checks. This makes it possible for unauthenticated attackers to delete any classroom record by supplying its ID in the request, resulting in permanent data loss.

Basic Information

ID CVE-2026-6708

Source Wordfence

Published May 12, 2026 at 07:48

Affected Product

Vendor higheredlab

Product HEL Online Classroom: AI-powered Online Classrooms

Affected Versions higheredlab HEL Online Classroom: AI-powered Online Classrooms 0

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "The HEL Online Classroom: AI-powered Online Classrooms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.3. This is due to a missing capability check on a REST API endpoint registered with a permission_callback of '__return_true', which bypasses all WordPress authentication and authorization checks. This makes it possible for unauthenticated attackers to delete any classroom record by supplying its ID in the request, resulting in permanent data loss.",
    "published": "2026-05-12T07:48:15.695Z",
    "modified": "2026-05-12T07:48:15.695Z",
    "type": "cve",
    "title": "HEL Online Classroom: AI-powered Online Classrooms <= 1.0.3 - Missing Authorization to Unauthenticated Arbitrary Classroom Deletion via 'id' Parameter",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0612c0be-f1c0-4f74-a769-e4616f103ee6?source=cve\nhttps://plugins.trac.wordpress.org/browser/hel-online-classroom/trunk/hel-online-classroom.php#L605\nhttps://plugins.trac.wordpress.org/browser/hel-online-classroom/tags/1.0.3/hel-online-classroom.php#L605\nhttps://plugins.trac.wordpress.org/browser/hel-online-classroom/trunk/hel-online-classroom.php#L398\nhttps://plugins.trac.wordpress.org/browser/hel-online-classroom/tags/1.0.3/hel-online-classroom.php#L398",
    "id": "CVE-2026-6708",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "higheredlab HEL Online Classroom: AI-powered Online Classrooms 0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "HEL Online Classroom: AI-powered Online Classrooms",
    "version": "0",
    "vendor": "higheredlab",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

HEL Online Classroom: AI-powered Online Classrooms <= 1.0.3 - Missing Authorization to Unauthenticated Arbitrary Classroom Deletion via 'id' Parameter_CVE-2026-6708