CVE-2026-5502
Received Received - Intake
Authorization Bypass in Tutor LMS Allows Course Content Manipulation

Publication date: 2026-04-17

Last updated on: 2026-04-17

Assigner: Wordfence

Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutor_update_course_content_order() function. The function only validates the nonce (CSRF protection) but does not verify whether the user has permission to manage course content. The can_user_manage() authorization check only executes when the 'content_parent' parameter is present in the request. When this parameter is omitted, the function proceeds directly to save_course_content_order() which manipulates the wp_posts table without any authorization validation. This makes it possible for authenticated attackers with subscriber-level access and above to detach all lessons from any topic, move lessons between topics, and modify the menu_order of course content, effectively allowing them to disrupt the structure of any course on the site.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5502
EUVD
EUVD-2026-23360
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tutor_lms tutor_lms to 3.9.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthorized manipulation of course content by authenticated users with subscriber-level access and above, potentially disrupting the structure of courses on the site.

However, there is no information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

The Tutor LMS plugin for WordPress has a vulnerability in versions up to 3.9.8 that allows unauthorized manipulation of course content. This happens because the function tutor_update_course_content_order() only checks a nonce for CSRF protection but does not properly verify if the user has permission to manage course content. Specifically, the authorization check can_user_manage() only runs if the 'content_parent' parameter is included in the request. If this parameter is missing, the function skips authorization and directly modifies the course content order in the database. As a result, authenticated users with subscriber-level access or higher can detach lessons from topics, move lessons between topics, and change the order of course content without proper permissions.

Impact Analysis

This vulnerability allows attackers with low-level access (subscriber or above) to disrupt the structure of any course on a WordPress site using Tutor LMS. They can detach lessons from topics, rearrange lessons between topics, and modify the order of course content. This can lead to confusion for learners, degrade the quality and integrity of the course material, and potentially harm the reputation of the educational platform.

Mitigation Strategies

To mitigate this vulnerability, you should update the Tutor LMS plugin to a version later than 3.9.8 where the authorization check issue is fixed.

Additionally, restrict subscriber-level users from accessing course content management functions until the update is applied.

Ensure that authorization checks are properly enforced in the tutor_update_course_content_order() function to prevent unauthorized manipulation of course content.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5502. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart