{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/tutor-lms/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-3360"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tutor LMS"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","idor","cve-2026-3360","tutor-lms"],"_cs_type":"advisory","_cs_vendors":["Tutor LMS"],"content_html":"\u003cp\u003eThe Tutor LMS plugin, a widely used eLearning solution for WordPress, contains an Insecure Direct Object Reference (IDOR) vulnerability (CVE-2026-3360) affecting versions up to and including 3.9.7. This flaw resides within the \u003ccode\u003epay_incomplete_order()\u003c/code\u003e function, which lacks proper authentication and authorization checks. The function processes user orders based on the \u003ccode\u003eorder_id\u003c/code\u003e parameter, without validating the requester's identity or their ownership of the order. The \u003ccode\u003e_tutor_nonce\u003c/code\u003e is exposed on public frontend pages. An unauthenticated attacker can exploit this vulnerability to modify the billing information of any user who has an incomplete manual order within the Tutor LMS system. This is achieved by sending a specially crafted POST request containing a valid, but potentially guessed or enumerated, \u003ccode\u003eorder_id\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a WordPress site using a vulnerable version (\u0026lt;= 3.9.7) of the Tutor LMS plugin.\u003c/li\u003e\n\u003cli\u003eAttacker enumerates or guesses valid \u003ccode\u003eorder_id\u003c/code\u003e values for incomplete manual orders. These IDs are integers and could be found by observing order numbers.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a POST request to the \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e endpoint, targeting the \u003ccode\u003epay_incomplete_order\u003c/code\u003e action.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the vulnerable \u003ccode\u003eorder_id\u003c/code\u003e parameter and malicious billing data (name, email, phone, address). The request also requires a valid \u003ccode\u003e_tutor_nonce\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server-side \u003ccode\u003epay_incomplete_order()\u003c/code\u003e function processes the request without verifying the attacker's identity or authorization to modify the target user's billing information.\u003c/li\u003e\n\u003cli\u003eThe function retrieves the order data associated with the provided \u003ccode\u003eorder_id\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe function uses \u003ccode\u003e$order_data-\u0026gt;user_id\u003c/code\u003e and writes the attacker-supplied billing details to the profile of the order owner.\u003c/li\u003e\n\u003cli\u003eThe targeted user's billing profile is updated with the attacker's data, potentially leading to account takeover or financial fraud.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3360 allows unauthenticated attackers to overwrite sensitive billing information associated with user accounts within a WordPress site using the vulnerable Tutor LMS plugin. The potential impact includes unauthorized modification of user profiles, which can facilitate phishing attacks, identity theft, or financial fraud if the compromised billing information is linked to payment methods. Since the vulnerability exists in a plugin designed for online courses, the targeted sectors are likely education, training, and e-learning platforms.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Tutor LMS plugin to the latest version, which includes a patch for CVE-2026-3360, to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eTutor LMS Insecure Order ID Access\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring for suspicious POST requests to the \u003ccode\u003eadmin-ajax.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eTutor LMS Billing Profile Update\u003c/code\u003e to detect unauthorized billing profile updates via the vulnerable endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003epay_incomplete_order\u003c/code\u003e and investigate any unexpected activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-tutor-lms-idor/","summary":"The Tutor LMS plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR), allowing unauthenticated attackers to overwrite billing profiles of users with incomplete orders.","title":"Tutor LMS WordPress Plugin Insecure Direct Object Reference (CVE-2026-3360)","url":"https://feed.craftedsignal.io/briefs/2024-01-tutor-lms-idor/"}],"language":"en","title":"CraftedSignal Threat Feed - Tutor-Lms","version":"https://jsonfeed.org/version/1.1"}