CVE-2026-5502

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutor update course content order() function. The function only validates the nonce (CSRF protection) but does not verify whether the user has permission to manage course content. The can user manage() authorization check only executes when the 'content parent' parameter is present in the request. When this parameter is omitted, the function proceeds directly to save course content order() which manipulates the wp posts table without any authorization validation. This makes it possible for authenticated attackers with subscriber-level access and above to detach all lessons from any topic, move lessons between topics, and modify the menu order of course content, effectively allowing them to disrupt the structure of any course on the site.