<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Tutor-Lms - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/tutor-lms/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/tutor-lms/feed.xml" rel="self" type="application/rss+xml"/><item><title>Tutor LMS WordPress Plugin Insecure Direct Object Reference (CVE-2026-3360)</title><link>https://feed.craftedsignal.io/briefs/2024-01-tutor-lms-idor/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-tutor-lms-idor/</guid><description>The Tutor LMS plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR), allowing unauthenticated attackers to overwrite billing profiles of users with incomplete orders.</description><content:encoded><![CDATA[<p>The Tutor LMS plugin, a widely used eLearning solution for WordPress, contains an Insecure Direct Object Reference (IDOR) vulnerability (CVE-2026-3360) affecting versions up to and including 3.9.7. This flaw resides within the <code>pay_incomplete_order()</code> function, which lacks proper authentication and authorization checks. The function processes user orders based on the <code>order_id</code> parameter, without validating the requester's identity or their ownership of the order. The <code>_tutor_nonce</code> is exposed on public frontend pages. An unauthenticated attacker can exploit this vulnerability to modify the billing information of any user who has an incomplete manual order within the Tutor LMS system. This is achieved by sending a specially crafted POST request containing a valid, but potentially guessed or enumerated, <code>order_id</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a WordPress site using a vulnerable version (&lt;= 3.9.7) of the Tutor LMS plugin.</li>
<li>Attacker enumerates or guesses valid <code>order_id</code> values for incomplete manual orders. These IDs are integers and could be found by observing order numbers.</li>
<li>Attacker crafts a POST request to the <code>/wp-admin/admin-ajax.php</code> endpoint, targeting the <code>pay_incomplete_order</code> action.</li>
<li>The POST request includes the vulnerable <code>order_id</code> parameter and malicious billing data (name, email, phone, address). The request also requires a valid <code>_tutor_nonce</code>.</li>
<li>The server-side <code>pay_incomplete_order()</code> function processes the request without verifying the attacker's identity or authorization to modify the target user's billing information.</li>
<li>The function retrieves the order data associated with the provided <code>order_id</code>.</li>
<li>The function uses <code>$order_data-&gt;user_id</code> and writes the attacker-supplied billing details to the profile of the order owner.</li>
<li>The targeted user's billing profile is updated with the attacker's data, potentially leading to account takeover or financial fraud.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-3360 allows unauthenticated attackers to overwrite sensitive billing information associated with user accounts within a WordPress site using the vulnerable Tutor LMS plugin. The potential impact includes unauthorized modification of user profiles, which can facilitate phishing attacks, identity theft, or financial fraud if the compromised billing information is linked to payment methods. Since the vulnerability exists in a plugin designed for online courses, the targeted sectors are likely education, training, and e-learning platforms.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the Tutor LMS plugin to the latest version, which includes a patch for CVE-2026-3360, to remediate the vulnerability.</li>
<li>Implement the Sigma rule <code>Tutor LMS Insecure Order ID Access</code> to detect attempts to exploit this vulnerability by monitoring for suspicious POST requests to the <code>admin-ajax.php</code> endpoint.</li>
<li>Implement the Sigma rule <code>Tutor LMS Billing Profile Update</code> to detect unauthorized billing profile updates via the vulnerable endpoint.</li>
<li>Monitor web server logs for POST requests to <code>/wp-admin/admin-ajax.php</code> with the <code>action</code> parameter set to <code>pay_incomplete_order</code> and investigate any unexpected activity.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>idor</category><category>cve-2026-3360</category><category>tutor-lms</category></item></channel></rss>