CVE-2026-12274 PUBLISHED

Tutor LMS < 3.9.13 - Instructor+ Arbitrary Post Overwrite via IDOR

Assigner: WPScan
Reserved: 15.06.2026 Published: 13.07.2026 Updated: 13.07.2026

The Tutor LMS WordPress plugin before 3.9.13 does not verify that the requesting user is allowed to edit a target post before overwriting it in one of its content-builder save handlers, authorizing the request only against an unrelated identifier, allowing authenticated users with instructor-level access to overwrite and take over any post or page on the site, including those owned by administrators.

Product Status

Vendor Unknown
Product Tutor LMS
Versions Default: unaffected
  • affected from 0 to 3.9.13 (excl.)

Credits

  • Meher Sudhakar Abbireddi finder
  • WPScan coordinator

References

Problem Types

  • CWE-639 Authorization Bypass Through User-Controlled Key CWE