Plataforma
wordpress
Componente
tutor
Corrigido em
3.9.8
3.9.8
CVE-2026-3360 represents an Insecure Direct Object Reference (IDOR) vulnerability discovered within the Tutor LMS plugin for WordPress. This flaw allows unauthorized users to modify billing information associated with user accounts by manipulating the order_id parameter. The vulnerability affects versions of Tutor LMS up to and including 3.9.7, and a patch is available in version 3.9.8.
CVE-2026-3360 in the Tutor LMS plugin for WordPress represents an Insecure Direct Object Reference (IDOR) vulnerability. This allows an attacker to manipulate the orderid parameter to access and modify order data they are not authorized to view or change. Specifically, the payincomplete_order() function lacks proper authentication and authorization checks. An attacker could potentially modify billing fields associated with the order owner’s profile, compromising user data integrity and potentially enabling fraudulent activities. The CVSS score is 7.5, indicating a high-risk vulnerability. This affects all versions of the plugin up to and including 3.9.7.
An attacker could exploit this vulnerability by sending crafted HTTP requests to the endpoint that calls the payincompleteorder() function, providing a manipulated orderid. Due to the lack of proper validation, the system will use this orderid to access order data and allow modification of the billing fields associated with the order owner. Exploitation is relatively straightforward, requiring only knowledge of the endpoint and the ability to manipulate HTTP requests. The absence of robust authentication simplifies the attack process.
Status do Exploit
EPSS
0.12% (percentil 31%)
CISA SSVC
Vetor CVSS
The recommended mitigation is to update the Tutor LMS plugin to version 3.9.8 or later. This version includes the necessary fixes to implement authentication and authorization checks within the payincompleteorder() function. Promptly applying this update is crucial to reduce the risk of exploitation. Additionally, review user permissions within WordPress and restrict access to sensitive functions like order management. Regularly monitoring server logs for suspicious activity can also aid in detecting and responding to potential attacks.
Update to version 3.9.8, or a newer patched version
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
An IDOR (Insecure Direct Object Reference) attack occurs when a web application allows a user to access internal objects (like files, database records, etc.) using a predictable or manipulable identifier without proper authorization checks.
If you are using a version of Tutor LMS prior to 3.9.8, your site is vulnerable. You can verify the plugin version within the WordPress admin dashboard, under the plugins section.
If you suspect your site has been compromised, immediately update to the latest version of Tutor LMS, change all passwords related to the site (including the database password), and perform a thorough security audit.
Web vulnerability scanners can detect this vulnerability, although they may require specific configuration. You can also perform manual testing to verify the absence of validation in the payincompleteorder() function.
Besides updating the plugin, ensure WordPress and all other plugins are kept up-to-date, use strong passwords, implement a web application firewall (WAF), and perform regular backups of your site.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.