CVE-2026-3358 — Missing Authorization in Tutor LMS Elearning AND Online Course Solution

CWE-862 — Missing Authorization4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.1%

top 81.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Themeum Tutor LMS Elearning AND Online Course Solution

Timeline

PublishedApr 11

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages1 packages

▶CVEListV5themeum/tutor_lms_elearning_and_online_course_solution3.9.7

🔴Vulnerability Details

GHSA

GHSA-mf3h-x5xj-q2g5: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up t↗2026-04-11

▶

CVEList

Tutor LMS <= 3.9.7 - Missing Authorization to Authenticated (Subscriber+) Unauthorized Private Course Enrollment↗2026-04-11

▶

VulDB

themeum Tutor LMS Plugin up to 3.9.7 on WordPress POST enroll_now/course_enrollment authorization↗2026-04-11

▶