Insecure Direct Object Reference in Tutor LMS Plugin for WordPress
CVE-2026-3360

7.5HIGH

Key Information:

Vendor: WordPress
Status: Tutor Lms – Elearning And Online Course Solution
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-3360?

The Tutor LMS plugin for WordPress has a security flaw that allows unauthenticated attackers to manipulate the pay_incomplete_order() function. This vulnerability occurs due to a lack of proper authentication and authorization checks. Attackers can send crafted POST requests containing an order_id parameter that they control. If successful, this can lead to unauthorized access and modifications of any user's billing profile, including their name, email, phone number, and address. The issue arises because the Tutor nonce is publicly accessible, making it easier for malicious users to exploit this loophole without needing authentication.

Affected Version(s)

Tutor LMS – eLearning and online course solution 0 <= 3.9.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/tutor/tags/3.9...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Feb 27, 2026

Credit

Supakiad S.

CVE-2026-3360 Data

JSON