CVE-2026-5502

Name of the Vulnerable Software and Affected Versions Tutor LMS versions prior to 3.9.9

Description The Tutor LMS plugin for WordPress allows unauthorized course content manipulation. This occurs because the tutor update course content order() function fails to verify if a user has the necessary permissions to manage course content, validating only the nonce for CSRF protection. The can user manage() authorization check is only triggered if the content parent parameter is included in the request. If the content parent parameter is omitted, the system calls save course content order(), which modifies the wp posts table without authorization. Consequently, authenticated attackers with subscriber-level access or higher can detach lessons from topics, move lessons between topics, and change the menu order of course content, disrupting the course structure.

Recommendations Update the plugin to a version newer than 3.9.8. As a temporary workaround, restrict access to the tutor update course content order() function for users with low-level privileges.