Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()` function. The function accepts an attacker-controlled `order_id` parameter and uses it to look up order data, then writes billing fields to the order owner's profile (`$order_data->user_id`) without verifying the requester's identity or ownership. Because the Tutor nonce (`_tutor_nonce`) is exposed on public frontend pages, this makes it possible for unauthenticated attackers to overwrite the billing profile (name, email, phone, address) of any user who has an incomplete manual order, by sending a crafted POST request with a guessed or enumerated `order_id`.
Published: 2026-04-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated overwrite of billing profile data
Action: Patch Now
AI Analysis

Impact

Tutor LMS, a WordPress eLearning plugin, contains an insecure direct object reference that allows an attacker to send an unverified POST request to the pay_incomplete_order() function. By supplying a crafted order_id parameter, the function retrieves the order record and writes billing details (name, email, phone, address) to the order owner's profile without any authentication or authorization checks. The weakness is categorized as CWE‑862, enabling unauthorized data modification.

Affected Systems

All versions of the Tutor LMS plugin for WordPress up to and including 3.9.7 are affected. This includes installations that have incomplete manual orders and expose the Tutor nonce on public pages.

Risk and Exploitability

The vulnerability scores a 7.5 on the CVSS scale, indicating high severity. Exploitability is high because the attack requires only a crafted HTTP request and does not depend on user interaction or elevated privileges. The EPSS score is unavailable, and the issue is not listed in the CISA KEV catalog. An unauthenticated attacker can therefore obtain control over the billing profile of any user who has an incomplete manual order, potentially leading to phishing or fraud attempts.

Generated by OpenCVE AI on April 10, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Tutor LMS plugin to the latest version (3.9.8 or newer).
  • Disable or restrict unauthenticated access to the pay_incomplete_order endpoint.
  • Remove the public exposure of the Tutor nonce from frontend pages.
  • Ensure that only completed orders are processed for payment and that incomplete orders cannot be altered.

Generated by OpenCVE AI on April 10, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Themeum
Themeum tutor Lms – Elearning And Online Course Solution
Wordpress
Wordpress wordpress
Vendors & Products Themeum
Themeum tutor Lms – Elearning And Online Course Solution
Wordpress
Wordpress wordpress

Fri, 10 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()` function. The function accepts an attacker-controlled `order_id` parameter and uses it to look up order data, then writes billing fields to the order owner's profile (`$order_data->user_id`) without verifying the requester's identity or ownership. Because the Tutor nonce (`_tutor_nonce`) is exposed on public frontend pages, this makes it possible for unauthenticated attackers to overwrite the billing profile (name, email, phone, address) of any user who has an incomplete manual order, by sending a crafted POST request with a guessed or enumerated `order_id`.
Title Tutor LMS <= 3.9.7 - Missing Authorization to Unauthenticated Arbitrary Billing Profile Overwrite via 'order_id' Parameter
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Themeum Tutor Lms – Elearning And Online Course Solution
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-10T17:05:46.556Z

Reserved: 2026-02-27T19:38:55.529Z

Link: CVE-2026-3360

cve-icon Vulnrichment

Updated: 2026-04-10T17:05:36.326Z

cve-icon NVD

Status : Received

Published: 2026-04-10T02:16:03.073

Modified: 2026-04-10T02:16:03.073

Link: CVE-2026-3360

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:27:12Z

Weaknesses