CVE-2026-12271
Description
The Tutor LMS WordPress plugin before 3.9.13 does not verify ownership of the targeted quiz attempt before writing to it, allowing authenticated users with subscriber-level access and above to modify and force-complete other students' quiz attempts, overwriting their recorded marks and pass/fail result.
Metadata
Severity & Metrics
No CVSS data available.
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Unknown | Tutor LMS | — | 0 < 3.9.13 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| — | cna | CWE-639 Authorization Bypass Through User-Controlled Key |