Tutor LMS allows course creators to drag and drop topics, lessons, and quizzes to arrange course content in any order they prefer. This intuitive ordering system is essential for creating logical learning paths. However, some users report that after spending time carefully ordering their course content, the order suddenly resets to default or becomes completely scrambled, requiring them to reorder everything again.
This problem can be incredibly frustrating, especially for courses with dozens of lessons and quizzes. The time invested in organizing content is wasted, and course creators may lose confidence in the platform. The issue may appear after updating Tutor LMS or other plugins, or it may happen spontaneously without any obvious trigger.
The most common cause of this problem is a permission issue that prevents the order data from being saved correctly. More seriously, recent security vulnerabilities in Tutor LMS versions up to 3.9.8 have exposed authorization weaknesses that could allow authenticated attackers to manipulate course content order [citation:1][citation:6]. An attacker with subscriber-level access could detach lessons from topics, move lessons between topics, and modify the menu_order of course content, effectively disrupting any course on the site [citation:1].
Why Tutor LMS course content order resets
Tutor LMS stores the order of topics and lessons using a menu_order parameter in the database. When you drag and drop items to reorder them, the plugin sends an AJAX request to update these menu_order values. If the request fails or is blocked, the order is not saved. Security plugins that block AJAX requests or caching plugins that interfere with the request can cause this issue.
A more serious cause is the recently discovered vulnerability in Tutor LMS versions up to 3.9.8. The tutor_update_course_content_order() function does not properly verify whether the user has permission to manage course content before processing the order update [citation:1]. The can_user_manage() authorization check only executes when the ‘content_parent’ parameter is present in the request. When this parameter is omitted, the function proceeds directly to manipulate the wp_posts table without any authorization validation [citation:1].
This vulnerability makes it possible for authenticated attackers with subscriber-level access and above to modify the menu_order of course content, effectively allowing them to disrupt the course structure. Updating to Tutor LMS version 3.9.8 or higher is critical to patch this security issue [citation:1][citation:6].
How to check if the course content order is being saved correctly
Open the browser developer tools by pressing F12 and navigate to the Network tab before reordering course content. Drag and drop a topic or lesson to a new position, and watch for the AJAX request that is sent to save the new order. Check the response of this request. If the response indicates an error (like 403 Forbidden or 500 Internal Server Error), the order is not being saved. If the request returns a 200 OK but the order still resets, the issue may be with the database.
Step by step guide to fixing Tutor LMS ordering problems
Follow these steps in order to restore proper course content ordering in Tutor LMS. Start with the simplest solutions before moving to more advanced troubleshooting steps.
- Update Tutor LMS to the latest version (3.9.8 or higher) to patch the security vulnerability [citation:1]
- Check that your user account has the necessary permissions to edit course content
- Temporarily disable all security plugins to test if they block the AJAX ordering request
- Clear all caches including plugin cache, CDN cache, and browser cache completely
- Check the browser console for JavaScript errors when dragging and dropping items
- Try reordering content using a different browser or in incognito mode
- Switch to a default WordPress theme to test if the theme interferes with the AJAX request
- Repair the database using the WordPress database repair tool
- Re-save the course after reordering (click Update button multiple times)
- Contact Tutor LMS support with specific details about which courses are affected
How to manually update course content order in the database
If the drag-and-drop ordering continues to fail, you can manually update the menu_order values in the database. Use phpMyAdmin or another database management tool to access the wp_posts table. Find all lessons and topics belonging to the problematic course and modify their menu_order column values. Set menu_order to 0 for the first item, 1 for the second, and so on. This should be done only by users comfortable working directly with the database, and a full backup should be taken before any manual changes.
Tutor LMS ordering troubleshooting reference table
Here is a reference table for diagnosing course content ordering problems in Tutor LMS based on specific symptoms you might encounter.
| Symptom | Most likely cause | Recommended solution | Order resets after page refresh | AJAX request not saving or outdated plugin version | Update Tutor LMS and check for JavaScript errors | Lessons detach from topics after reordering | Security vulnerability in versions below 3.9.8 | Update to Tutor LMS 3.9.8 or higher immediately | Cannot drag and drop items at all | JavaScript conflict or browser extension blocking | Test in incognito mode with all extensions disabled | Order appears correct in editor but wrong on frontend | Caching plugin serving old course content | Clear all caches and exclude course pages from caching |
|---|
For more information about Tutor LMS security and settings, visit the Tutor LMS page on wpwizzy.com.
Preventing Tutor LMS ordering problems in the future
Keep Tutor LMS updated to the latest version at all times, as security vulnerabilities are actively being discovered and patched. Versions prior to 3.9.8 contain serious authorization flaws that allow attackers to manipulate course content [citation:1][citation:6]. Test course content ordering after every plugin update to catch problems early, and use a staging website to test major changes before applying them to the live production site.
Regularly back up the database, especially before making significant changes to course structure. Consider using a user role editor plugin to restrict course editing permissions to trusted users only, minimizing the risk of malicious content manipulation. Monitor the server error logs for any AJAX-related errors that might indicate problems with the ordering functionality.