Authorization Bypass in Tutor LMS Plugin for WordPress
CVE-2026-3358

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Tutor Lms – Elearning And Online Course Solution
Vendor: CVE Published:; 11 April 2026

What is CVE-2026-3358?

The Tutor LMS plugin for WordPress is susceptible to unauthorized enrollment in private courses due to a lack of post_status validation in critical functions. This vulnerability allows users with Subscriber-level access and above to exploit the enrollment endpoints, bypassing intended restrictions. Although the core access control prevents content visibility, attackers can still see the course title and their enrollment status. Proper validation is essential to ensure that only authorized users with the required permissions can enroll in private courses.

Affected Version(s)

Tutor LMS – eLearning and online course solution 0 <= 3.9.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/tutor/tags/3.9...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 11, 2026
Vulnerability Reserved
Feb 27, 2026

Credit

Mohammad Amin Hajian

CVE-2026-3358 Data

JSON