๐Ÿ” CVE Alert

CVE-2026-12274

MEDIUM 6.5

Tutor LMS < 3.9.13 - Instructor+ Arbitrary Post Overwrite via IDOR

CVSS Score
6.5
EPSS Score
0.1%
EPSS Percentile
3th

The Tutor LMS WordPress plugin before 3.9.13 does not verify that the requesting user is allowed to edit a target post before overwriting it in one of its content-builder save handlers, authorizing the request only against an unrelated identifier, allowing authenticated users with instructor-level access to overwrite and take over any post or page on the site, including those owned by administrators.

Vendor unknown
Product tutor lms
Published Jul 13, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for unknown tutor lms

Be the first to know when new medium vulnerabilities affecting unknown tutor lms are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Unknown / Tutor LMS
0 < 3.9.13

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wpscan.com: https://wpscan.com/vulnerability/c3d98ead-a4f4-48fd-bf9c-4fa91c5681d7/

Credits

Meher Sudhakar Abbireddi WPScan