CVE-2026-12274
Received Received - Intake

Tutor LMS Post Takeover via Insecure Direct Object Reference

Vulnerability report for CVE-2026-12274, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: WPScan

Description

The Tutor LMS WordPress plugin before 3.9.13 does not verify that the requesting user is allowed to edit a target post before overwriting it in one of its content-builder save handlers, authorizing the request only against an unrelated identifier, allowing authenticated users with instructor-level access to overwrite and take over any post or page on the site, including those owned by administrators.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
tutor_lms tutor_lms to 3.9.13 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-12274 is a vulnerability in the Tutor LMS WordPress plugin versions before 3.9.13. It is an Insecure Direct Object Reference (IDOR) flaw where the plugin does not properly verify if the requesting user has permission to edit a specific post before allowing the overwrite. Instead, it authorizes the request based on an unrelated identifier.

This flaw allows authenticated users with instructor-level access to overwrite and take over any post or page on the site, including those owned by administrators.

Impact Analysis

This vulnerability can have serious impacts as it allows users with instructor-level access to overwrite any post or page on the WordPress site, including those owned by administrators.

An attacker could use this to take over content, potentially deface the site, inject malicious content, or manipulate important pages, leading to loss of data integrity and trust.

Mitigation Strategies

To mitigate this vulnerability, you should update the Tutor LMS WordPress plugin to version 3.9.13 or later, where the issue has been fixed.

This update ensures proper verification of user permissions before allowing edits to posts or pages, preventing unauthorized overwrites by instructor-level users.

Compliance Impact

The vulnerability CVE-2026-12274 allows authenticated users with instructor-level access to overwrite any post or page on the site, including those owned by administrators, due to improper access control.

This broken access control issue (classified under OWASP Top 10 A5 and CWE-639) could lead to unauthorized modification of content, which may result in data integrity and confidentiality risks.

Such unauthorized access and modification could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data access and integrity to protect personal and sensitive information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12274. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart