CVE-2026-12271 PUBLISHED

Tutor LMS < 3.9.13 - Subscriber+ Arbitrary Quiz Attempt Modification via IDOR

Assigner: WPScan
Reserved: 15.06.2026 Published: 13.07.2026 Updated: 13.07.2026

The Tutor LMS WordPress plugin before 3.9.13 does not verify ownership of the targeted quiz attempt before writing to it, allowing authenticated users with subscriber-level access and above to modify and force-complete other students' quiz attempts, overwriting their recorded marks and pass/fail result.

Product Status

Vendor Unknown
Product Tutor LMS
Versions Default: unaffected
  • affected from 0 to 3.9.13 (excl.)

Credits

  • Muni Nitish Kumar Yaddala finder
  • WPScan coordinator

References

Problem Types

  • CWE-639 Authorization Bypass Through User-Controlled Key CWE