Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Network-exploitable with any subscriber account (PR:L); no confidentiality loss; integrity and availability both Low from score/completion record tampering.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
5DescriptionCVE.org
The Tutor LMS WordPress plugin before 3.9.13 does not verify ownership of the targeted quiz attempt before writing to it, allowing authenticated users with subscriber-level access and above to modify and force-complete other students' quiz attempts, overwriting their recorded marks and pass/fail result.
AnalysisAI
Missing ownership verification in Tutor LMS WordPress plugin before 3.9.13 allows any authenticated subscriber-level user to overwrite other students' quiz attempt records, including their scores and pass/fail status. The flaw is an insecure direct object reference (IDOR) pattern: the plugin writes to quiz attempts without confirming the requesting user owns that attempt. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold a valid WordPress account at subscriber level or above - the minimum role typically granted upon self-registration. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 5.4 Medium score reflects PR:L (requires a low-privilege authenticated account), with Integrity and Availability impacts both rated Low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A student enrolled in a WordPress-based online course registers or already holds a subscriber-level account and identifies a competitor's quiz attempt ID - either by brute-forcing sequential IDs or observing network traffic in a shared session context. The attacker sends a crafted POST request to the Tutor LMS quiz attempt write endpoint, substituting the victim's attempt ID, and submits arbitrary answer data that forces a passing score. … |
| Remediation | Upgrade Tutor LMS to version 3.9.13 or later; this is the vendor-confirmed patched release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data
Several AJAX endpoints in the Tutor LMS - eLearning and online course solution WordPress plugin before 1.7.7 were unprot
The Tutor LMS plugin for WordPress is vulnerable to SQL Injection via the ‘rating_filter’ parameter in all versions up t
The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowi
Broken authorization in the Tutor LMS WordPress plugin (before 3.9.13) lets authenticated subscriber-level users bypass
Broken object-level authorization in the Tutor LMS WordPress plugin before 3.9.13 allows any authenticated instructor-le
The tutor_answering_quiz_question/get_answer_by_id function pair from the Tutor LMS - eLearning and online course soluti
The tutor_place_rating AJAX action from the Tutor LMS - eLearning and online course solution WordPress plugin before 1.7
The tutor_quiz_builder_get_question_form AJAX action from the Tutor LMS - eLearning and online course solution WordPress
The tutor_quiz_builder_get_answers_by_question AJAX action from the Tutor LMS - eLearning and online course solution Wor
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43287
GHSA-pqgf-9jm9-v6q5