CVE-2026-5502: CWE-862 Missing Authorization in themeum Tutor LMS – eLearning and online course solution
CVE-2026-5502 is a medium severity vulnerability in the Tutor LMS WordPress plugin up to version 3. 9. 8. It involves a missing authorization check in the tutor_update_course_content_order() function, allowing authenticated users with subscriber-level access or higher to manipulate course content order without proper permission validation. This can disrupt course structure by detaching lessons from topics, moving lessons between topics, and modifying menu order. The vulnerability arises because the function only validates a nonce but skips user permission checks when a specific parameter is omitted.
AI Analysis
Technical Summary
The Tutor LMS plugin for WordPress contains a missing authorization vulnerability (CWE-862) in the tutor_update_course_content_order() function. While the function validates a nonce to protect against CSRF, it fails to verify if the user has permission to manage course content when the 'content_parent' parameter is absent. This allows authenticated users with subscriber-level privileges or higher to alter the wp_posts table by detaching lessons from topics, moving lessons, and changing course content order without authorization. The vulnerability affects versions up to and including 3.9.8.
Potential Impact
An attacker with subscriber-level or higher access can manipulate the structure of any course on the affected WordPress site by detaching lessons from topics, moving lessons between topics, and modifying the menu order of course content. This leads to unauthorized modification of course content order, potentially disrupting the learning experience. There is no direct confidentiality or availability impact reported.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch is currently available according to the vendor advisory. Users should monitor the vendor's communications for updates. Until a fix is released, restrict subscriber-level user capabilities where possible and review user roles to limit access to course content management functions.
CVE-2026-5502: CWE-862 Missing Authorization in themeum Tutor LMS – eLearning and online course solution
Description
CVE-2026-5502 is a medium severity vulnerability in the Tutor LMS WordPress plugin up to version 3. 9. 8. It involves a missing authorization check in the tutor_update_course_content_order() function, allowing authenticated users with subscriber-level access or higher to manipulate course content order without proper permission validation. This can disrupt course structure by detaching lessons from topics, moving lessons between topics, and modifying menu order. The vulnerability arises because the function only validates a nonce but skips user permission checks when a specific parameter is omitted.
CVSS v3.1
Score 5.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Tutor LMS plugin for WordPress contains a missing authorization vulnerability (CWE-862) in the tutor_update_course_content_order() function. While the function validates a nonce to protect against CSRF, it fails to verify if the user has permission to manage course content when the 'content_parent' parameter is absent. This allows authenticated users with subscriber-level privileges or higher to alter the wp_posts table by detaching lessons from topics, moving lessons, and changing course content order without authorization. The vulnerability affects versions up to and including 3.9.8.
Potential Impact
An attacker with subscriber-level or higher access can manipulate the structure of any course on the affected WordPress site by detaching lessons from topics, moving lessons between topics, and modifying the menu order of course content. This leads to unauthorized modification of course content order, potentially disrupting the learning experience. There is no direct confidentiality or availability impact reported.
Mitigation Recommendations
Patch status is not yet confirmed — no official fix or patch is currently available according to the vendor advisory. Users should monitor the vendor's communications for updates. Until a fix is released, restrict subscriber-level user capabilities where possible and review user roles to limit access to course content management functions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-04-03T15:48:58.659Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e1b7b882d89c981f6ce761
Added to database: 4/17/2026, 4:31:52 AM
Last enriched: 4/24/2026, 4:18:55 PM
Last updated: 6/1/2026, 8:57:10 PM
Views: 87
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.