CVE-2026-12271 in Tutor LMS Plugininfo

Summary

by MITRE • 07/13/2026

The Tutor LMS WordPress plugin before 3.9.13 does not verify ownership of the targeted quiz attempt before writing to it, allowing authenticated users with subscriber-level access and above to modify and force-complete other students' quiz attempts, overwriting their recorded marks and pass/fail result.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/13/2026

The vulnerability in Tutor LMS WordPress plugin versions prior to 3.9.13 represents a critical access control flaw that undermines the integrity of educational assessment systems. This issue stems from insufficient input validation and authorization checks within the quiz management functionality, specifically affecting the handling of quiz attempt data. The plugin fails to properly verify whether an authenticated user has legitimate ownership rights over a specific quiz attempt before permitting modifications to that record.

The technical nature of this vulnerability allows attackers with subscriber-level privileges or higher to exploit the lack of proper access controls by manipulating quiz attempt data through direct API calls or interface interactions. When a user attempts to modify a quiz, the system does not validate whether the requesting user is authorized to make changes to that particular attempt, creating an arbitrary write flaw. This authorization bypass enables malicious actors to overwrite existing quiz results, potentially altering grades and academic outcomes for other users.

The operational impact of this vulnerability extends beyond simple data modification, as it fundamentally compromises the trustworthiness of assessment systems within educational platforms. An attacker could manipulate student results to achieve passing grades when failing, or conversely, force failures that might affect academic standing or progression. This type of privilege escalation directly violates principles of data integrity and access control that are essential for maintaining academic honesty in digital learning environments.

From a cybersecurity perspective, this vulnerability aligns with CWE-285 (Improper Authorization) and represents an instance where insufficient access controls allow unauthorized modifications to protected resources. The attack pattern follows typical privilege escalation techniques found in the MITRE ATT&CK framework under the privilege escalation category, specifically targeting application-level privileges within web applications. The vulnerability's exploitation requires minimal technical expertise beyond basic authentication and could be automated through simple API manipulation or direct database queries.

The recommended mitigation involves implementing proper ownership verification checks before allowing any modifications to quiz attempts. This includes validating that the authenticated user has explicit authorization to modify a specific quiz attempt, typically through database-level foreign key constraints or application-level access control lists. Updates to the plugin should enforce strict permission checks that verify user roles and ownership relationships for each quiz attempt. Additionally, implementing audit logging for all quiz attempt modifications would provide visibility into unauthorized access attempts and help detect potential exploitation.

Security teams should also consider implementing role-based access controls that explicitly define which users can modify specific quiz records, ensuring that only instructors or administrators with proper authorization can alter student results. The fix should include comprehensive input validation and proper error handling to prevent information disclosure about the existence of specific quiz attempts. Organizations using Tutor LMS should immediately update to version 3.9.13 or later, as this release includes the necessary access control improvements. Regular security audits of WordPress plugins should be conducted to identify similar authorization flaws that could compromise educational data integrity and academic assessment systems.

Responsible

WPScan

Reservation

06/15/2026

Disclosure

07/13/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!