Unauthorized Quiz Manipulation in Tutor LMS Plugin by Tutor Pro Inc.
CVE-2026-12271

Currently unrated

Key Information:

Vendor

WordPress

Status
Vendor
CVE Published:
13 July 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-12271?

The Tutor LMS WordPress plugin prior to version 3.9.13 contains an access control flaw that allows authenticated users with subscriber-level permissions or higher to manipulate quiz attempts. This vulnerability enables these users to overwrite quiz marks and force-complete the assessment for other students, thereby compromising the integrity of the quiz results.

Affected Version(s)

Tutor LMS 0 < 3.9.13

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Muni Nitish Kumar Yaddala
WPScan
.