We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

Tutor LMS – eLearning and online course solution Plugin Vulnerability (CVE-2026-3360)

Nick Paliughi
On this page

Security Alert Summary

The Tutor LMS – eLearning and online course solution plugin for WordPress contains an Insecure Direct Object Reference vulnerability that can allow unauthenticated attackers to overwrite billing profile fields for users with incomplete manual orders. The issue stems from missing authentication and authorization checks in a server-side function that accepts an attacker-controlled order identifier.

CVE Details

  • CVE ID: CVE-2026-3360
  • Affected component: Tutor LMS – eLearning and online course solution plugin for WordPress
  • Affected versions: All versions up to, and including, 3.9.7
  • Published: April 10, 2026 at 02:16:03 AM
  • Last modified: April 10, 2026 at 02:16:03 AM
  • CVSS v3.1 base score: 7.5
  • CVSS v3.1 severity: HIGH
  • CVSS vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • Authentication / privileges / user interaction: No privileges required (PR:N); no user interaction required (UI:N); unauthenticated network access (AV:N)
  • Primary impact: Confidentiality: None; Integrity: High; Availability: None
  • CWE / weakness: CWE-862 (Missing Authorization)

Technical Details

The vulnerability exists because the pay_incomplete_order() function accepts an attacker-controlled order_id parameter, looks up order data, and writes billing fields to the order owner’s profile ($order_data->user_id) without verifying the requester’s identity or ownership of the order. The Tutor nonce (_tutor_nonce) is exposed on public frontend pages, which an attacker can reuse in a crafted POST request. An attacker who can guess or enumerate a valid order_id for a user with an incomplete manual order can submit a request that overwrites billing details such as name, email, phone, and address for that user.

This is an integrity-impacting issue: it allows modification of user billing data, but does not, based on the provided information, indicate direct disclosure of confidential data or availability disruption.

How This Could Impact Your Website

Consider a site where the site owner manages course purchases, internal staff process orders, and external contractors or contributors assist with content. If an attacker overwrites billing email or phone fields for a user who has an incomplete manual order, order notifications or follow-up messages could be redirected, and contact records become unreliable. This can increase the risk of targeted phishing or social engineering because attackers may cause communications to be sent to addresses or numbers they control or to manipulated contact records.

In practice, affected users may receive incorrect order confirmations, invoices may be associated with incorrect contact details, or outreach intended for a legitimate user may be diverted. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributor-level accounts and users who can create orders.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins and audit plugins with public frontend endpoints that accept POST requests.
  • Monitor site activity and logs for unusual POST requests, unexpected changes to user profiles, and order-related changes.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
adivaha Travel Plugin 2.3 (CVE-2023-54358)
Next Post
Customer Reviews for WooCommerce Plugin Vulnerability (CVE-2026-4664)