Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Network-reachable plugin endpoint, instructor session required (PR:L), no complexity or interaction; integrity fully compromised via post overwrite, no confidentiality or availability impact.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
The Tutor LMS WordPress plugin before 3.9.13 does not verify that the requesting user is allowed to edit a target post before overwriting it in one of its content-builder save handlers, authorizing the request only against an unrelated identifier, allowing authenticated users with instructor-level access to overwrite and take over any post or page on the site, including those owned by administrators.
AnalysisAI
Broken object-level authorization in the Tutor LMS WordPress plugin before 3.9.13 allows any authenticated instructor-level user to overwrite and take over arbitrary posts or pages sitewide, including administrator-owned content. The content-builder save handler validates the request against an unrelated identifier rather than confirming the requesting user owns or is permitted to edit the target post, making the authorization check entirely ineffective. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session with at minimum WordPress instructor-level role within the Tutor LMS plugin - this is a non-default role created by the plugin itself, distinct from standard WordPress Subscriber or Editor roles. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) accurately reflects the exploitation profile: network-reachable, no complexity, requires only a low-privilege instructor account, and produces high integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains an instructor-level account on a target WordPress site running Tutor LMS below 3.9.13 - feasible on open-enrollment LMS platforms. Using the publicly available POC, the attacker sends a crafted POST request to the plugin's content-builder save handler, specifying the post ID of an administrator-owned page (e.g., the site's homepage or login redirect page) as the target while authenticating with their instructor session. … |
| Remediation | Update Tutor LMS to version 3.9.13 or later; this is the vendor-confirmed patched release per the WPScan advisory at https://wpscan.com/vulnerability/c3d98ead-a4f4-48fd-bf9c-4fa91c5681d7/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data
The Tutor LMS Pro plugin for WordPress is vulnerable to unauthorized access of data, modification of data, loss of data
Several AJAX endpoints in the Tutor LMS - eLearning and online course solution WordPress plugin before 1.7.7 were unprot
The Tutor LMS plugin for WordPress is vulnerable to SQL Injection via the ‘rating_filter’ parameter in all versions up t
The Tutor LMS WordPress plugin before 2.2.1 does not implement adequate permission checks for REST API endpoints, allowi
Broken authorization in the Tutor LMS WordPress plugin (before 3.9.13) lets authenticated subscriber-level users bypass
The tutor_answering_quiz_question/get_answer_by_id function pair from the Tutor LMS - eLearning and online course soluti
The tutor_place_rating AJAX action from the Tutor LMS - eLearning and online course solution WordPress plugin before 1.7
The tutor_quiz_builder_get_question_form AJAX action from the Tutor LMS - eLearning and online course solution WordPress
The tutor_quiz_builder_get_answers_by_question AJAX action from the Tutor LMS - eLearning and online course solution Wor
The tutor_mark_answer_as_correct AJAX action from the Tutor LMS - eLearning and online course solution WordPress plugin
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43289
GHSA-c7pm-q6w7-5993