プラットフォーム
wordpress
コンポーネント
tutor
修正版
4.0.0
CVE-2026-3358 is a security vulnerability affecting the Tutor LMS plugin for WordPress. This flaw allows authenticated users, even those with Subscriber access, to enroll in courses designated as 'private' without proper authorization. The vulnerability stems from a lack of validation within the enrollnow() and courseenrollment() functions. Affected versions include all versions up to and including 3.9.7; a patch is available in version 3.9.8.
CVE-2026-3358 in Tutor LMS allows authenticated users, but not authorized ones, to enroll in private courses. This is due to a missing poststatus validation in the enrollnow() and courseenrollment() functions. While these functions verify nonce validity, user authentication, and whether the course is purchasable, they fail to check if the course has a private poststatus. An authenticated attacker could exploit this omission to enroll in courses that should be exclusive, compromising the privacy and integrity of educational content. The CVSS score of 5.4 indicates a moderate risk, requiring prompt attention to prevent potential unauthorized access to sensitive materials.
An authenticated attacker on the WordPress site (e.g., a registered user with limited permissions) can exploit this vulnerability. The attacker simply needs to construct a malicious URL that calls the enrollnow() or courseenrollment() functions with a course that has a private poststatus. The lack of poststatus validation will allow the attacker to enroll in the private course without authorization. The ease of exploitation and the potential impact on the privacy of content make this vulnerability a significant concern.
エクスプロイト状況
EPSS
0.06% (19% パーセンタイル)
CISA SSVC
CVSS ベクトル
The solution to this vulnerability is to update the Tutor LMS plugin to version 3.9.8 or higher. This update includes the necessary post_status validation to ensure that only authorized users can enroll in private courses. It is recommended to perform this update as soon as possible, especially if you are using private courses on your learning platform. Additionally, review user permission settings and roles to ensure that only users with appropriate privileges have access to the course enrollment function. Backing up your site before the update is a recommended practice.
Update to version 3.9.8, or a newer patched version
脆弱性分析と重要アラートをメールでお届けします。
A 'nonce' is a security token that helps prevent Cross-Site Request Forgery (CSRF) attacks. It verifies that the request originates from the legitimate website and not a malicious source.
Authenticated means the attacker has a valid user account on the WordPress site. They don't need to be an administrator, but a registered user.
In the WordPress admin dashboard, go to 'Plugins' and look for Tutor LMS. If an update is available, a notification will be displayed.
If you cannot update immediately, consider restricting access to private courses to a specific group of users until you can apply the update.
Yes, regularly review user permissions, use strong passwords, and keep all WordPress software, including the theme and other plugins, updated.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。