CVE-2026-3358

Name of the Vulnerable Software and Affected Versions Tutor LMS versions up to and including 3.9.7

Description The Tutor LMS plugin for WordPress is susceptible to unauthorized enrollment in private courses. This occurs because the enroll now() and course enrollment() functions do not validate the post status of a course, specifically whether it is marked as private. An authenticated attacker with Subscriber-level access or higher can enroll in a private course by sending a crafted POST request containing the course ID. While WordPress access control prevents viewing the course content, the course title and enrollment status are visible in the subscriber's dashboard.

Recommendations Update Tutor LMS to a version later than 3.9.7.