CVE-2026-5502
Authorization Bypass in Tutor LMS Allows Course Content Manipulation
Publication date: 2026-04-17
Last updated on: 2026-04-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tutor_lms | tutor_lms | to 3.9.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Tutor LMS plugin for WordPress has a vulnerability in versions up to 3.9.8 that allows unauthorized manipulation of course content. This happens because the function tutor_update_course_content_order() only checks a nonce for CSRF protection but does not properly verify if the user has permission to manage course content. Specifically, the authorization check can_user_manage() only runs if the 'content_parent' parameter is included in the request. If this parameter is missing, the function skips authorization and directly modifies the course content order in the database. As a result, authenticated users with subscriber-level access or higher can detach lessons from topics, move lessons between topics, and change the order of course content without proper permissions.
How can this vulnerability impact me? :
This vulnerability allows attackers with low-level access (subscriber or above) to disrupt the structure of any course on a WordPress site using Tutor LMS. They can detach lessons from topics, rearrange lessons between topics, and modify the order of course content. This can lead to confusion for learners, degrade the quality and integrity of the course material, and potentially harm the reputation of the educational platform.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized manipulation of course content by authenticated users with subscriber-level access and above, potentially disrupting the structure of courses on the site.
However, there is no information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the Tutor LMS plugin to a version later than 3.9.8 where the authorization check issue is fixed.
Additionally, restrict subscriber-level users from accessing course content management functions until the update is applied.
Ensure that authorization checks are properly enforced in the tutor_update_course_content_order() function to prevent unauthorized manipulation of course content.