CVE-2026-3360 Overview
The Tutor LMS – eLearning and online course solution plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability in all versions up to and including 3.9.7. This security flaw exists within the pay_incomplete_order() function, which lacks proper authentication and authorization checks. The vulnerability allows unauthenticated attackers to manipulate billing profile data of any user who has an incomplete manual order on the platform.
The function accepts an attacker-controlled order_id parameter and uses it to look up order data, then writes billing fields to the order owner's profile ($order_data->user_id) without verifying the requester's identity or ownership. Because the Tutor nonce (_tutor_nonce) is exposed on public frontend pages, attackers can craft malicious POST requests with guessed or enumerated order_id values to overwrite victim billing profiles.
Critical Impact
Unauthenticated attackers can overwrite billing profile information (name, email, phone, address) of any user with incomplete manual orders, potentially leading to account takeover, phishing attacks, or financial fraud.
Affected Products
- Tutor LMS WordPress Plugin versions up to and including 3.9.7
- WordPress sites running vulnerable Tutor LMS plugin versions
- eLearning platforms built with Tutor LMS ecommerce functionality
Discovery Timeline
- 2026-04-10 - CVE CVE-2026-3360 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-3360
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization) and represents a classic Insecure Direct Object Reference pattern. The pay_incomplete_order() function in the CheckoutController.php file processes payment completion requests without validating whether the requesting user has permission to modify the specified order or its associated user profile.
The attack exploits the lack of ownership verification between the authenticated session (or lack thereof) and the order being manipulated. When processing billing updates, the function directly uses the user_id from the order record to update profile data, trusting that the request comes from the legitimate order owner.
A key enabler of this attack is the exposure of the _tutor_nonce token on public-facing frontend pages. While nonces typically provide CSRF protection, their public availability combined with missing authorization checks renders them ineffective as a security control in this context.
Root Cause
The root cause is missing authentication and authorization validation in the pay_incomplete_order() function. The code fails to:
- Verify that the requester is authenticated
- Confirm that the authenticated user owns or has permission to access the specified order
- Validate that the requester should be allowed to modify billing profile data for the order's associated user
The function blindly trusts the order_id parameter provided in the request and updates the corresponding user's profile without any ownership checks.
Attack Vector
The attack is executed remotely over the network and requires no authentication or user interaction. An attacker can exploit this vulnerability by:
- Identifying WordPress sites running vulnerable Tutor LMS versions
- Extracting the publicly exposed _tutor_nonce value from frontend pages
- Enumerating or guessing valid order_id values for incomplete manual orders
- Sending crafted POST requests with malicious billing data to overwrite victim profiles
The vulnerability mechanism centers on the pay_incomplete_order() function accepting user-controlled input without proper validation. When an attacker submits a POST request with a valid order_id belonging to another user, the function retrieves the order data and uses the $order_data->user_id to update billing fields directly on the victim's profile. For detailed technical analysis, see the Wordfence Vulnerability Analysis and the CheckoutController source code.
Detection Methods for CVE-2026-3360
Indicators of Compromise
- Unusual POST requests to Tutor LMS checkout endpoints with varying order_id parameters from single IP addresses
- Unexpected changes to user billing profiles without corresponding user login activity
- Sequential or patterned order_id values in request logs suggesting enumeration attempts
- Billing profile modifications for users with incomplete manual orders during suspicious timeframes
Detection Strategies
- Monitor web application logs for POST requests targeting checkout functions with anomalous patterns
- Implement rate limiting on order-related API endpoints to detect and block enumeration attempts
- Deploy Web Application Firewall (WAF) rules to detect IDOR attack patterns against Tutor LMS endpoints
- Review user profile change logs for billing updates not correlated with authenticated user sessions
Monitoring Recommendations
- Enable detailed logging for all Tutor LMS ecommerce transactions and profile modifications
- Set up alerts for bulk or rapid order_id parameter changes in checkout requests
- Monitor for unauthenticated requests attempting to access order completion endpoints
- Track user profile changes and flag modifications made without corresponding login events
How to Mitigate CVE-2026-3360
Immediate Actions Required
- Update Tutor LMS plugin to a version newer than 3.9.7 that contains the security fix
- Audit user billing profiles for unauthorized modifications, particularly for accounts with incomplete orders
- Review web server logs for potential exploitation attempts and block suspicious source IPs
- Consider temporarily disabling the manual order payment feature until patching is complete
Patch Information
The vulnerability has been addressed in the Tutor LMS plugin. The security fix can be reviewed in the WordPress Tutor Changeset 3496394, which implements proper authorization checks in the CheckoutController.php file. Site administrators should update to the latest version of the Tutor LMS plugin through the WordPress admin dashboard or by downloading the patched version from the WordPress plugin repository.
Workarounds
- Implement WAF rules to block unauthenticated requests to the pay_incomplete_order endpoint
- Restrict access to checkout-related URLs at the web server level for non-authenticated users
- Consider using a security plugin to add additional authorization layers to sensitive Tutor LMS functions
- Monitor and manually review all incomplete manual orders until the patch can be applied
# Example .htaccess rule to restrict checkout endpoint access
# Add to WordPress root .htaccess file as temporary mitigation
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} tutor.*checkout [NC]
RewriteCond %{HTTP:Authorization} ^$
RewriteRule ^ - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
