MEDIUMCVE-2026-5502CVSS 5.3

CVE-2026-5502: Tutor LMS Course Content Manipulation Vulnerability

Platform

wordpress

Component

tutor

Fixed in

3.9.9

AI Confidence: highNVDEPSS 0.0%Reviewed: Apr 2026

View on NVD

Save

CVE-2026-5502 is a security vulnerability affecting the Tutor LMS plugin for WordPress. This issue allows unauthorized users to manipulate course content due to a missing authorization check within the plugin's code. Versions of Tutor LMS up to and including 3.9.8 are affected, and a patch is available in version 3.9.9.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports2 threat reports

EPSS

0.01% (3% percentile)

CISA SSVC

Exploitationnone

Automatableyes

Technical Impactpartial

CVSS Vector

Affected Software

Componenttutor

Vendorwordfence

Affected rangeFixed in

0.0.0 – 3.9.83.9.9

3.9.83.9.9

Weakness Classification (CWE)

CWE-862

Timeline

Reserved2026-04-03
Published2026-04-17
Modified2026-04-22
EPSS updated2026-04-24

How to fix

Update to version 3.9.9, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-5502?

CVE-2026-5502 is a vulnerability in the Tutor LMS WordPress plugin that allows unauthorized users to modify course content. It’s caused by a missing authorization check, allowing manipulation if the 'content_parent' parameter is absent in the request.

Am I affected by CVE-2026-5502?

You are potentially affected if you are using Tutor LMS version 3.9.8 or earlier. It’s crucial to assess your plugin versions and apply the necessary updates to mitigate this risk.

How do I fix CVE-2026-5502?

The vulnerability is fixed in Tutor LMS version 3.9.9. Update your plugin to this version or later to address the issue and prevent unauthorized course content manipulation.

NextGuard

Vulnerabilities

Package Information

Plugin rating

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

5.0

What do these metrics mean?

Attack Vector: Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Unchanged — impact is limited to the vulnerable component itself.
Confidentiality: None — no confidentiality impact. Attacker cannot read protected data.
Integrity: Low — attacker can modify some data with limited scope or impact.
Availability: None — no availability impact. Service remains fully operational.