5.3

CVE-2026-5502

EPSS 0.01%
Veröffentlicht 17.04.2026 03:36:45
Zuletzt bearbeitet 17.04.2026 05:16:19
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutor_update_course_content_order() function. The function only validates the nonce (CSRF protection) but does not verify whether the user has permission to manage course content. The can_user_manage() authorization check only executes when the 'content_parent' parameter is present in the request. When this parameter is omitted, the function proceeds directly to save_course_content_order() which manipulates the wp_posts table without any authorization validation. This makes it possible for authenticated attackers with subscriber-level access and above to detach all lessons from any topic, move lessons between topics, and modify the menu_order of course content, effectively allowing them to disrupt the structure of any course on the site.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 9

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerthemeum

≫

Produkt Tutor LMS – eLearning and online course solution

Default Statusunaffected

Version <= 3.9.8

Version 0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.013

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://www.wordfence.com/threat-intel/vulnerabilities/id/f32ae42d-dd1f-41d7-8ae4-ddec56d78ae6?source=cve

https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1700

https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1789

https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1789

https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1700

https://plugins.trac.wordpress.org/changeset/3505142/tutor/tags/3.9.9/classes/Course.php

https://nvd.nist.gov/vuln/detail/CVE-2026-5502

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-5502

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-5502

EUVD