CVE-2026-3360Missing Authorization in Tutor LMS Elearning AND Online Course Solution

CWE-862Missing Authorization4 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 68.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Themeum Tutor LMS Elearning AND Online Course Solution
Timeline
PublishedApr 10

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()` function. The function accepts an attacker-controlled `order_id` parameter and uses it to look up order data, then writes billing fields to the order owner's profile (`$order_data->user_id`) without verifying the requester's identity

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages1 packages

🔴Vulnerability Details

3
CVEList
Tutor LMS <= 3.9.7 - Missing Authorization to Unauthenticated Arbitrary Billing Profile Overwrite via 'order_id' Parameter2026-04-10
VulDB
themeum Tutor LMS Plugin up to 3.9.7 on WordPress POST pay_incomplete_order user_id authorization2026-04-10
GHSA
GHSA-hqrg-cfxf-rjg9: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to,2026-04-10
CVE-2026-3360 — Missing Authorization | cvebase