CVE-2026-3360

Name of the Vulnerable Software and Affected Versions Tutor LMS versions through 3.9.7

Description The Tutor LMS plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This is due to the absence of proper authentication and authorization checks within the pay incomplete order() function. The function utilizes an attacker-controlled order id parameter to retrieve order data and subsequently updates billing fields associated with the order owner ($order data->user id) without verifying the identity or ownership of the requester. The exposure of the Tutor nonce ( tutor nonce) on public frontend pages enables unauthenticated attackers to modify the billing profile (name, email, phone, address) of any user with an incomplete manual order by submitting a crafted POST request with a guessed or enumerated order id.

Recommendations Update Tutor LMS to a version later than 3.9.7.