CVE-2026-6708
HEL Online Classroom: AI-powered Online Classrooms <= 1.0.3 - Missing Authorization to Unauthenticated Arbitrary Classroom Deletion via 'id' Parameter
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.3EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
12 May 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The HEL Online Classroom: AI-powered Online Classrooms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.3. This is due to a missing capability check on a REST API endpoint registered with a permission_callback of '__return_true', which bypasses all WordPress authentication and authorization checks. This makes it possible for unauthenticated attackers to delete any classroom record by supplying its ID in the request, resulting in permanent data loss.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected products
higheredlab · HEL Online Classroom: AI-powered Online ClassroomsReferences
https://plugins.trac.wordpress.org/browser/hel-online-classroom/tags/1.0.3/hel-online-classroom.php#L398https://plugins.trac.wordpress.org/browser/hel-online-classroom/tags/1.0.3/hel-online-classroom.php#L605https://plugins.trac.wordpress.org/browser/hel-online-classroom/trunk/hel-online-classroom.php#L398https://plugins.trac.wordpress.org/browser/hel-online-classroom/trunk/hel-online-classroom.php#L605https://www.wordfence.com/threat-intel/vulnerabilities/id/0612c0be-f1c0-4f74-a769-e4616f103ee6?source=cve