Plataforma
wordpress
Componente
tutor
Corrigido em
4.0.0
CVE-2026-3371 represents an Insecure Direct Object Reference (IDOR) vulnerability discovered in the Tutor LMS plugin for WordPress. This flaw allows unauthorized users to modify the order of course content due to insufficient authorization checks within the plugin's savecoursecontent_order() function. The vulnerability affects versions of Tutor LMS up to and including 3.9.7, and a patch is available in version 3.9.8.
CVE-2026-3371 in Tutor LMS represents an Insecure Direct Object Reference (IDOR) vulnerability affecting versions up to and including 3.9.7. This arises from missing authorization checks within the savecoursecontentorder() private method, which is unconditionally called by the tutorupdatecoursecontentorder AJAX handler. While the handler's contentparent branch includes a canusermanage() check, the savecoursecontent_order() call processes attacker-supplied data without proper validation. An attacker can exploit this to manipulate the order of course content, potentially disrupting the learning experience and compromising the integrity of the course material. The CVSS 4.3 score indicates a moderate impact, requiring prompt remediation.
This vulnerability is exploited through a crafted AJAX request to the tutorupdatecoursecontentorder endpoint. An attacker can send this request without authentication, as the savecoursecontent_order() function lacks proper authorization checks. By manipulating the request parameters, an attacker can alter the order of course modules and lessons, potentially causing confusion or removing critical content. The ease of exploitation, coupled with the potential impact on learning materials, makes this a significant security concern.
Status do Exploit
EPSS
0.03% (percentil 9%)
CISA SSVC
Vetor CVSS
The recommended mitigation for CVE-2026-3371 is to update Tutor LMS to version 3.9.8 or later. This update incorporates the necessary authorization checks within savecoursecontentorder() to prevent unauthorized modification of course content order. Prior to updating, it is strongly advised to create a full backup of your WordPress website. Regularly review user roles and permissions within WordPress to ensure only authorized users have the ability to manage course content. Furthermore, monitor server logs for any suspicious activity related to tutorupdatecoursecontent_order AJAX requests.
Update to version 3.9.8, or a newer patched version
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
It's a security vulnerability in Tutor LMS that allows unauthorized users to modify the order of course content.
Update immediately to version 3.9.8 or later.
Yes, it is strongly recommended to create a full backup of your WordPress website before applying any plugin update.
If you are using a version prior to 3.9.8, your website is vulnerable.
Review user roles and permissions in WordPress and monitor server logs for suspicious activity.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.