Vendor
The Tutor LMS plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR), allowing unauthenticated attackers to overwrite billing profiles of users with incomplete orders.