Dismissed
(no matching packages found)
Permalink
CVE-2026-12271
5.4 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): Low (L)
- Availability (A): Low (L)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): Low (L)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): Low (L)
Activity log
- Created & dismissed (no matching packages found) suggestion
Tutor LMS < 3.9.13 - Subscriber+ Arbitrary Quiz Attempt Modification via IDOR
The Tutor LMS WordPress plugin before 3.9.13 does not verify ownership of the targeted quiz attempt before writing to it, allowing authenticated users with subscriber-level access and above to modify and force-complete other students' quiz attempts, overwriting their recorded marks and pass/fail result.
References
-
https://wpscan.com/vulnerability/ca99ea35-4bf8-4dc8-a817-79fb9fa1c5bd/ vdb-entrytechnical-descriptionexploit
Affected products
Tutor LMS
- <3.9.13