CVE-2026-5502

April 17, 2026, 5:16 a.m.

5.3
Medium

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutor_update_course_content_order() function. The function only validates the nonce (CSRF protection) but does not verify whether the user has permission to manage course content. The can_user_manage() authorization check only executes when the 'content_parent' parameter is present in the request. When this parameter is omitted, the function proceeds directly to save_course_content_order() which manipulates the wp_posts table without any authorization validation. This makes it possible for authenticated attackers with subscriber-level access and above to detach all lessons from any topic, move lessons between topics, and modify the menu_order of course content, effectively allowing them to disrupt the structure of any course on the site.

Product(s) Impacted

Vendor Product Versions
Tutor Lms
  • Tutor Lms
  • <=3.9.8

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a tutor_lms tutor_lms <=3.9.8 / / / / / wordpress /

References

https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1700
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1789
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1700
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1789
https://plugins.trac.wordpress.org/changeset/3505142/tutor/tags/3.9.9/classes/Course.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/f32ae42d-dd1f-41d7-8ae4-ddec56d78ae6?source=cve

Tags

[email protected]
CWE-862
2026-04-17
CVE-2026-5502

CVSS Score

5.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

    View Vector String

Timeline

Published: April 17, 2026, 5:16 a.m.
Last Modified: April 17, 2026, 5:16 a.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.