EUVD-2026-23360CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutor_update_course_content_order() function. The function only validates the nonce (CSRF protection) but does not verify whether the user has permission to manage course content. The can_user_manage() authorization check only executes when the 'content_parent' parameter is present in the request. When this parameter is omitted, the function proceeds directly to save_course_content_order() which manipulates the wp_posts table without any authorization validation. This makes it possible for authenticated attackers with subscriber-level access and above to detach all lessons from any topic, move lessons between topics, and modify the menu_order of course content, effectively allowing them to disrupt the structure of any course on the site.
AnalysisAI
Tutor LMS plugin for WordPress versions up to 3.9.8 allow authenticated attackers to manipulate course content structure (detach lessons, move lessons between topics, reorder content) without proper authorization checks when the 'content_parent' parameter is omitted from requests to the tutor_update_course_content_order() function. Although the CVSS score of 5.3 reflects the absence of confidentiality impact, the vulnerability enables course instructors or subscribers to disrupt course integrity across the entire site despite lacking content management permissions, with no public exploit code confirmed but patch available in version 3.9.9.
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today