CVE-2026-3371
Received Received - Intake
IDOR Vulnerability in Tutor LMS Plugin Allows Course Content Manipulation

Publication date: 2026-04-11

Last updated on: 2026-04-11

Assigner: Wordfence

Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler's `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-11
Last Modified
2026-04-11
Generated
2026-06-16
AI Q&A
2026-04-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3371
EUVD
EUVD-2026-21615
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tutor_lms tutor_lms to 3.9.7 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Tutor LMS WordPress plugin up to version 3.9.7 and is classified as an Insecure Direct Object Reference (IDOR). It occurs because the private method save_course_content_order() lacks proper authorization checks. Although the AJAX handler tutor_update_course_content_order performs some checks in one branch, the call to save_course_content_order() processes attacker-supplied JSON data without verifying ownership or user capabilities.

As a result, an authenticated user with Subscriber-level access or higher can manipulate course content by detaching lessons from topics, reordering course content, and reassigning lessons between topics in any course, including those owned by administrators, by sending a specially crafted AJAX request with modified topic and lesson IDs.

Impact Analysis

This vulnerability allows attackers with low-level authenticated access to modify course content arbitrarily. They can detach lessons from topics, reorder the course content, and reassign lessons between topics in any course, even those owned by administrators.

Such unauthorized modifications can disrupt the learning experience, cause confusion among users, and potentially damage the integrity and trustworthiness of the eLearning platform.

Compliance Impact

The vulnerability allows authenticated attackers with Subscriber-level access or above to manipulate course content by detaching lessons from topics, reordering content, and reassigning lessons between topics without proper authorization checks.

While this unauthorized modification capability could potentially lead to integrity issues in course content management, there is no direct information provided about its impact on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or unauthorized AJAX requests to the `tutor_update_course_content_order` handler, especially those containing manipulated `tutor_topics_lessons_sorting` JSON data that reorder course content or reassign lessons.

Since the vulnerability involves authenticated users with Subscriber-level access or above sending crafted AJAX requests, detection can focus on analyzing web server logs or using network monitoring tools to identify suspicious POST requests to the AJAX endpoint related to course content ordering.

Specific commands depend on your environment, but examples include:

  • Using grep on web server logs to find suspicious AJAX calls: `grep tutor_update_course_content_order /var/log/apache2/access.log`
  • Using curl to simulate and test the AJAX request (for detection or testing): `curl -X POST -d 'action=tutor_update_course_content_order&tutor_topics_lessons_sorting=...' https://yourwordpresssite.com/wp-admin/admin-ajax.php`
  • Using network monitoring tools like Wireshark or tcpdump to filter HTTP POST requests to the AJAX handler URL.
Mitigation Strategies

Immediate mitigation steps include updating the Tutor LMS plugin to a version later than 3.9.7 where this vulnerability is fixed.

If an update is not immediately possible, restrict access to the AJAX handler by limiting authenticated user capabilities or applying web application firewall (WAF) rules to block suspicious AJAX requests attempting to reorder course content.

Additionally, monitor user activity for unauthorized course content changes and consider temporarily disabling the affected functionality if feasible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3371. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart