The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutor_update_course_content_order() function. The function only validates the nonce (CSRF protection) but does not verify whether the user has permission to manage course content. The can_user_manage() authorization check only executes when the 'content_parent' parameter is pr

CVE-2026-5502 is a vulnerability in the Tutor LMS WordPress plugin that allows unauthorized users to modify course content. It’s caused by a missing authorization check, allowing manipulation if the 'content_parent' parameter is absent in the request.

You are potentially affected if you are using Tutor LMS version 3.9.8 or earlier. It’s crucial to assess your plugin versions and apply the necessary updates to mitigate this risk.

The vulnerability is fixed in Tutor LMS version 3.9.9. Update your plugin to this version or later to address the issue and prevent unauthorized course content manipulation.