CVE-2026-12274: CWE-639 Authorization Bypass Through User-Controlled Key in Tutor LMS
The Tutor LMS WordPress plugin before 3.9.13 does not verify that the requesting user is allowed to edit a target post before overwriting it in one of its content-builder save handlers, authorizing the request only against an unrelated identifier, allowing authenticated users with instructor-level access to overwrite and take over any post or page on the site, including those owned by administrators.
AI Analysis
Technical Summary
CVE-2026-12274 is an authorization bypass vulnerability in the Tutor LMS WordPress plugin prior to version 3.9.13. The vulnerability arises because the plugin's content-builder save handler authorizes requests based on an unrelated identifier rather than verifying the requesting user's permission to edit the targeted post. As a result, authenticated users with instructor-level privileges can overwrite and take over any post or page, including administrator-owned content, leading to potential privilege escalation and site compromise.
Potential Impact
Authenticated users with instructor-level access can overwrite any post or page on the affected WordPress site, including those owned by administrators. This can lead to unauthorized content modification, privilege escalation, and potential full site compromise depending on the content overwritten.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict instructor-level user permissions and monitor for suspicious activity related to content editing. Avoid granting instructor-level access to untrusted users.
CVE-2026-12274: CWE-639 Authorization Bypass Through User-Controlled Key in Tutor LMS
Description
The Tutor LMS WordPress plugin before 3.9.13 does not verify that the requesting user is allowed to edit a target post before overwriting it in one of its content-builder save handlers, authorizing the request only against an unrelated identifier, allowing authenticated users with instructor-level access to overwrite and take over any post or page on the site, including those owned by administrators.
CVSS v3.1
Score 6.5medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-12274 is an authorization bypass vulnerability in the Tutor LMS WordPress plugin prior to version 3.9.13. The vulnerability arises because the plugin's content-builder save handler authorizes requests based on an unrelated identifier rather than verifying the requesting user's permission to edit the targeted post. As a result, authenticated users with instructor-level privileges can overwrite and take over any post or page, including administrator-owned content, leading to potential privilege escalation and site compromise.
Potential Impact
Authenticated users with instructor-level access can overwrite any post or page on the affected WordPress site, including those owned by administrators. This can lead to unauthorized content modification, privilege escalation, and potential full site compromise depending on the content overwritten.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict instructor-level user permissions and monitor for suspicious activity related to content editing. Avoid granting instructor-level access to untrusted users.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- WPScan
- Date Reserved
- 2026-06-15T11:20:21.197Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a5486ae68715ace4350e265
Added to database: 07/13/2026, 06:33:18 UTC
Last enriched: 07/13/2026, 06:48:06 UTC
Last updated: 07/13/2026, 22:57:54 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.