CVE-2026-12271
Received Received - Intake

Tutor LMS Quiz Attempt Manipulation via Unverified Ownership

Vulnerability report for CVE-2026-12271, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: WPScan

Description

The Tutor LMS WordPress plugin before 3.9.13 does not verify ownership of the targeted quiz attempt before writing to it, allowing authenticated users with subscriber-level access and above to modify and force-complete other students' quiz attempts, overwriting their recorded marks and pass/fail result.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
themeum tutor_lms to 3.9.13 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows authenticated users with subscriber-level access to modify and force-complete other students' quiz attempts, overwriting their recorded marks and pass/fail results. This unauthorized modification of user data can lead to integrity and confidentiality issues concerning personal and academic information.

Such unauthorized data manipulation may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal data integrity and prevention of unauthorized access or alteration. Specifically, the vulnerability could violate principles of data accuracy and security, potentially leading to non-compliance with these regulations.

Executive Summary

The vulnerability CVE-2026-12271 affects the Tutor LMS WordPress plugin versions before 3.9.13. It allows authenticated users with subscriber-level access or higher to modify and force-complete other students' quiz attempts. This happens because the plugin does not verify ownership of the targeted quiz attempt before allowing updates, leading to an Insecure Direct Object Reference (IDOR) flaw.

An attacker can exploit this by submitting a specially crafted HTTP request that bypasses ownership checks, enabling them to overwrite recorded marks, pass/fail results, and quiz completion status of other users without their consent.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users with subscriber-level access to alter quiz results of other students. They can force-complete quizzes, assign incorrect scores, and change the attempt status, which compromises the integrity and reliability of the quiz data.

Such unauthorized modifications can lead to unfair academic advantages or disadvantages, loss of trust in the system, and potential disruption of educational assessments.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious HTTP requests that attempt to modify quiz attempts using IDs that do not belong to the authenticated user. Specifically, look for crafted HTTP requests where an attacker submits their own attempt ID for ownership validation but targets a victim's attempt ID in an array parameter to override system checks.

Detection can involve inspecting web server logs or using tools like curl or Burp Suite to simulate or identify such crafted requests.

  • Use curl to check for unauthorized quiz attempt modifications by sending POST requests with manipulated attempt IDs.
  • Example curl command to test (replace URL and parameters accordingly):

curl -X POST https://your-wordpress-site.com/wp-admin/admin-ajax.php -d 'action=tutor_quiz_update_attempt&attempt_id=attacker_attempt_id&attempt_ids[]=victim_attempt_id&other_parameters=values' -b 'cookie=auth_cookie'

Review logs for such requests and verify if quiz attempts are being modified by users without proper ownership.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Tutor LMS WordPress plugin to version 3.9.13 or later, where the issue has been fixed.

Until the update can be applied, restrict subscriber-level users from accessing quiz attempt modification functionalities if possible, and monitor for suspicious activity related to quiz attempts.

Additionally, consider implementing web application firewall (WAF) rules to block suspicious requests attempting to manipulate quiz attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12271. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart