Tutor LMS WordPress Plugin Insecure Direct Object Reference (CVE-2026-3360)
The Tutor LMS plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR), allowing unauthenticated attackers to overwrite billing profiles of users with incomplete orders.
The Tutor LMS plugin, a widely used eLearning solution for WordPress, contains an Insecure Direct Object Reference (IDOR) vulnerability (CVE-2026-3360) affecting versions up to and including 3.9.7. This flaw resides within the pay_incomplete_order() function, which lacks proper authentication and authorization checks. The function processes user orders based on the order_id parameter, without validating the requester's identity or their ownership of the order. The _tutor_nonce is exposed on public frontend pages. An unauthenticated attacker can exploit this vulnerability to modify the billing information of any user who has an incomplete manual order within the Tutor LMS system. This is achieved by sending a specially crafted POST request containing a valid, but potentially guessed or enumerated, order_id.
Attack Chain
- Attacker identifies a WordPress site using a vulnerable version (<= 3.9.7) of the Tutor LMS plugin.
- Attacker enumerates or guesses valid
order_idvalues for incomplete manual orders. These IDs are integers and could be found by observing order numbers. - Attacker crafts a POST request to the
/wp-admin/admin-ajax.phpendpoint, targeting thepay_incomplete_orderaction. - The POST request includes the vulnerable
order_idparameter and malicious billing data (name, email, phone, address). The request also requires a valid_tutor_nonce. - The server-side
pay_incomplete_order()function processes the request without verifying the attacker's identity or authorization to modify the target user's billing information. - The function retrieves the order data associated with the provided
order_id. - The function uses
$order_data->user_idand writes the attacker-supplied billing details to the profile of the order owner. - The targeted user's billing profile is updated with the attacker's data, potentially leading to account takeover or financial fraud.
Impact
Successful exploitation of CVE-2026-3360 allows unauthenticated attackers to overwrite sensitive billing information associated with user accounts within a WordPress site using the vulnerable Tutor LMS plugin. The potential impact includes unauthorized modification of user profiles, which can facilitate phishing attacks, identity theft, or financial fraud if the compromised billing information is linked to payment methods. Since the vulnerability exists in a plugin designed for online courses, the targeted sectors are likely education, training, and e-learning platforms.
Recommendation
- Upgrade the Tutor LMS plugin to the latest version, which includes a patch for CVE-2026-3360, to remediate the vulnerability.
- Implement the Sigma rule
Tutor LMS Insecure Order ID Accessto detect attempts to exploit this vulnerability by monitoring for suspicious POST requests to theadmin-ajax.phpendpoint. - Implement the Sigma rule
Tutor LMS Billing Profile Updateto detect unauthorized billing profile updates via the vulnerable endpoint. - Monitor web server logs for POST requests to
/wp-admin/admin-ajax.phpwith theactionparameter set topay_incomplete_orderand investigate any unexpected activity.
Detection coverage 2
Tutor LMS Insecure Order ID Access
highDetects potential exploitation of the Tutor LMS IDOR vulnerability by monitoring POST requests to admin-ajax.php with the pay_incomplete_order action.
Tutor LMS Billing Profile Update
mediumDetects potential unauthorized billing profile updates in Tutor LMS by monitoring for POST requests indicating billing modifications.
Detection queries are available on the platform. Get full rules →