CVE-2026-12274: The Tutor LMS WordPress plugin before 3.9.13 does not verify that the requesting user is allowed to edit a target post
Summary
The Tutor LMS WordPress plugin before version 3.9.13 has a security flaw where it doesn't properly check if a user has permission to edit a post before allowing them to overwrite it. This means any authenticated user with instructor-level access (a regular teacher account) can take over and edit any post or page on the website, including those belonging to administrators, because the plugin only checks an unrelated identifier instead of verifying actual permissions.
Solution / Mitigation
Update the Tutor LMS WordPress plugin to version 3.9.13 or later.
Vulnerability Details
6.5(medium)
EPSS: 0.1%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
network
low
low
none
July 13, 2026
Classification
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-12274
First tracked: July 13, 2026 at 02:09 PM
Classified by LLM (prompt v3) · confidence: 95%