{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3360", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-27T19:38:55.529Z", "datePublished": "2026-04-10T01:24:58.426Z", "dateUpdated": "2026-04-10T01:24:58.426Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-10T01:24:58.426Z"}, "affected": [{"vendor": "themeum", "product": "Tutor LMS \u2013 eLearning and online course solution", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.9.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()` function. The function accepts an attacker-controlled `order_id` parameter and uses it to look up order data, then writes billing fields to the order owner's profile (`$order_data->user_id`) without verifying the requester's identity or ownership. Because the Tutor nonce (`_tutor_nonce`) is exposed on public frontend pages, this makes it possible for unauthenticated attackers to overwrite the billing profile (name, email, phone, address) of any user who has an incomplete manual order, by sending a crafted POST request with a guessed or enumerated `order_id`."}], "title": "Tutor LMS <= 3.9.7 - Missing Authorization to Unauthenticated Arbitrary Billing Profile Overwrite via 'order_id' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f365519-dd0a-4f39-880d-7216ce2f7d1e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Tutor.php#L563"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/CheckoutController.php#L108"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/CheckoutController.php#L1059"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/ecommerce/CheckoutController.php#L1059"}, {"url": "https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/ecommerce/CheckoutController.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "timeline": [{"time": "2026-02-27T20:06:17.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-09T12:40:11.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()` function. The function accepts an attacker-controlled `order_id` parameter and uses it to look up order data, then writes billing fields to the order owner's profile (`$order_data->user_id`) without verifying the requester's identity or ownership. Because the Tutor nonce (`_tutor_nonce`) is exposed on public frontend pages, this makes it possible for unauthenticated attackers to overwrite the billing profile (name, email, phone, address) of any user who has an incomplete manual order, by sending a crafted POST request with a guessed or enumerated `order_id`."}], "id": "CVE-2026-3360", "lastModified": "2026-04-10T02:16:03.073", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-10T02:16:03.073", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Tutor.php#L563"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/CheckoutController.php#L1059"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/ecommerce/CheckoutController.php#L108"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/ecommerce/CheckoutController.php#L1059"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/ecommerce/CheckoutController.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7f365519-dd0a-4f39-880d-7216ce2f7d1e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.9.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tutor LMS \u2013 eLearning and online course solution", "source": "cna", "vendor": "themeum"}, "product": "tutor_lms_\u2013_elearning_and_online_course_solution", "vendor": "themeum"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-10T02:22:59.625515+00:00", "value": {"mitigation_remediation": ["Update the Tutor LMS plugin to the latest version (3.9.8 or newer).", "Disable or restrict unauthenticated access to the pay_incomplete_order endpoint.", "Remove the public exposure of the Tutor nonce from frontend pages.", "Ensure that only completed orders are processed for payment and that incomplete orders cannot be altered."], "summary": {"action": "Patch Now", "impact": "Unauthenticated overwrite of billing profile data"}, "threat_synthesis": {"affected_systems": "All versions of the Tutor LMS plugin for WordPress up to and including 3.9.7 are affected. This includes installations that have incomplete manual orders and expose the Tutor nonce on public pages.", "description_and_impact": "Tutor LMS, a WordPress eLearning plugin, contains an insecure direct object reference that allows an attacker to send an unverified POST request to the pay_incomplete_order() function. By supplying a crafted order_id parameter, the function retrieves the order record and writes billing details (name, email, phone, address) to the order owner's profile without any authentication or authorization checks. The weakness is categorized as CWE\u2011862, enabling unauthorized data modification.", "risk_and_exploitability": "The vulnerability scores a 7.5 on the CVSS scale, indicating high severity. Exploitability is high because the attack requires only a crafted HTTP request and does not depend on user interaction or elevated privileges. The EPSS score is unavailable, and the issue is not listed in the CISA KEV catalog. An unauthenticated attacker can therefore obtain control over the billing profile of any user who has an incomplete manual order, potentially leading to phishing or fraud attempts."}}}}, "created": "2026-04-10T08:36:13.130312+00:00", "updated": "2026-04-10T09:27:12.497276+00:00", "vendors": ["themeum", "themeum$PRODUCT$tutor_lms_\u2013_elearning_and_online_course_solution", "wordpress", "wordpress$PRODUCT$wordpress"]}