We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

Tutor LMS – eLearning and online course solution Plugin Vulnerability (CVE-2026-3371)

Nick Paliughi
On this page

Security Alert Summary

The Tutor LMS – eLearning and online course solution plugin for WordPress contains an insecure direct object reference vulnerability that allows authenticated users with Subscriber-level access or higher to reorder course content, detach lessons from topics, and reassign lessons between topics without proper authorization. The issue is caused by missing authorization checks in a private method that is invoked by an AJAX handler which processes attacker-supplied JSON.

CVE Details

  • CVE ID: CVE-2026-3371
  • Affected component: Tutor LMS – eLearning and online course solution plugin for WordPress
  • Affected versions: All versions up to and including 3.9.7
  • Published: April 11, 2026 at 2:16:01 AM (UTC)
  • Last modified: April 11, 2026 at 2:16:01 AM (UTC)
  • CVSS v3.1: Base score 4.3, Medium — Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
  • Authentication / privileges / interaction: Attack requires authenticated user with low privileges (PR:L). No user interaction is required (UI:N). Attack vector is network (AJAX) (AV:N).
  • Primary impact: Confidentiality: NONE; Integrity: LOW; Availability: NONE
  • Weakness (CWE): CWE-639

Technical Details

The vulnerability exists because the private method save_course_content_order() is called unconditionally by the AJAX handler tutor_update_course_content_order. While the handler performs a can_user_manage() check in the content_parent branch, the save_course_content_order() call accepts and processes attacker-supplied tutor_topics_lessons_sorting JSON without verifying ownership or user capabilities. As a result, an authenticated user with Subscriber-level access or higher can send a crafted AJAX request with manipulated topic and lesson IDs to detach lessons from topics, reorder content, or reassign lessons between topics in courses they do not own, including admin-owned courses.

The impact is limited to modification of course content structure (integrity). There is no indication in the provided data of confidentiality or availability impact beyond content reorganization.

How This Could Impact Your Website

Consider a site with multiple roles: a site owner who manages overall site settings, internal staff who create and manage courses, and external contributors or contractors who add content. An authenticated contributor or a low-privilege user could manipulate course structure for courses they do not own. Practical consequences include:

  • Lessons detached from their intended topics, causing course pages to display out-of-order or incomplete content to students.
  • Lessons reassigned to different topics or courses, leading to confusion for learners and instructors and increased administrative workload to restore correct structure.
  • Potential erosion of user trust if course content appears incorrect or inconsistent to paid students or external learners.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributors and other low-privilege accounts that have no need to modify course structure.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins to reduce attack surface.
  • Monitor site activity and logs for unusual admin or course-content modification actions, and verify course integrity regularly.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
UsersWP Plugin Vulnerability (CVE-2026-4979)
Next Post
BlockArt Blocks Plugin Vulnerability (CVE-2026-3498)