CVE-2026-5502 MEDIUM

CVE-2026-5502: Tutor LMS <= 3.9.8 - Authenticated (Subscriber+) Arbitrary Course Content Manipulation via tutor_update_course_content_order

Vendor Themeum
Product Tutor LMS – eLearning and online course solution
Weakness CWE-862 · Missing authorization
Published April 17, 2026
Last update April 17, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutor_update_course_content_order() function. The function only validates the nonce (CSRF protection) but does not verify whether the user has permission to manage course content. The can_user_manage() authorization check only executes when the 'content_parent' parameter is present in the request. When this parameter is omitted, the function proceeds directly to save_course_content_order() which manipulates the wp_posts table without any authorization validation. This makes it possible for authenticated attackers with subscriber-level access and above to detach all lessons from any topic, move lessons between topics, and modify the menu_order of course content, effectively allowing them to disrupt the structure of any course on the site.

Explanation of Vulnerability in Simple Terms

02Summary

Tutor LMS versions up to 3.9.8 lack proper authorization checks, allowing unauthenticated attackers to modify certain data on the site. The vulnerability requires no special setup or user interaction. Site administrators should update to a version newer than 3.9.8 to prevent unauthorized modifications.

What an attacker can do

03Attacker Capabilities

Modify data on the site without logging in or having permission.

Potential impact on your site

04Site Impact

Unauthorized users can alter course content, settings, or other protected data without credentials.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

April 17, 2026 CVE published
April 17, 2026 Record updated

Related vulnerabilities

08Related CVE