平台
wordpress
组件
tutor
修复版本
4.0.0
CVE-2026-3371 represents an Insecure Direct Object Reference (IDOR) vulnerability discovered in the Tutor LMS plugin for WordPress. This flaw allows unauthorized users to modify the order of course content due to insufficient authorization checks within the plugin's savecoursecontent_order() function. The vulnerability affects versions of Tutor LMS up to and including 3.9.7, and a patch is available in version 3.9.8.
CVE-2026-3371 in Tutor LMS represents an Insecure Direct Object Reference (IDOR) vulnerability affecting versions up to and including 3.9.7. This arises from missing authorization checks within the savecoursecontentorder() private method, which is unconditionally called by the tutorupdatecoursecontentorder AJAX handler. While the handler's contentparent branch includes a canusermanage() check, the savecoursecontent_order() call processes attacker-supplied data without proper validation. An attacker can exploit this to manipulate the order of course content, potentially disrupting the learning experience and compromising the integrity of the course material. The CVSS 4.3 score indicates a moderate impact, requiring prompt remediation.
This vulnerability is exploited through a crafted AJAX request to the tutorupdatecoursecontentorder endpoint. An attacker can send this request without authentication, as the savecoursecontent_order() function lacks proper authorization checks. By manipulating the request parameters, an attacker can alter the order of course modules and lessons, potentially causing confusion or removing critical content. The ease of exploitation, coupled with the potential impact on learning materials, makes this a significant security concern.
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
The recommended mitigation for CVE-2026-3371 is to update Tutor LMS to version 3.9.8 or later. This update incorporates the necessary authorization checks within savecoursecontentorder() to prevent unauthorized modification of course content order. Prior to updating, it is strongly advised to create a full backup of your WordPress website. Regularly review user roles and permissions within WordPress to ensure only authorized users have the ability to manage course content. Furthermore, monitor server logs for any suspicious activity related to tutorupdatecoursecontent_order AJAX requests.
Update to version 3.9.8, or a newer patched version
漏洞分析和关键警报直接发送到您的邮箱。
It's a security vulnerability in Tutor LMS that allows unauthorized users to modify the order of course content.
Update immediately to version 3.9.8 or later.
Yes, it is strongly recommended to create a full backup of your WordPress website before applying any plugin update.
If you are using a version prior to 3.9.8, your website is vulnerable.
Review user roles and permissions in WordPress and monitor server logs for suspicious activity.
CVSS 向量
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。