CVE-2026-3371: CWE-639 Authorization Bypass Through User-Controlled Key in themeum Tutor LMS – eLearning and online course solution
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler's `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs.
AI Analysis
Technical Summary
The Tutor LMS plugin for WordPress suffers from an Insecure Direct Object Reference vulnerability due to missing authorization checks in the save_course_content_order() private method. Although the AJAX handler tutor_update_course_content_order performs a can_user_manage() check in one branch, the method that processes the tutor_topics_lessons_sorting JSON data does not verify user ownership or capabilities. This flaw enables authenticated users with Subscriber-level privileges or higher to reorder lessons, detach them from topics, and reassign lessons across courses, including those owned by administrators, by sending crafted AJAX requests with manipulated topic and lesson IDs.
Potential Impact
The vulnerability allows unauthorized modification of course content order and lesson-topic assignments by authenticated users with low privileges. There is no impact on confidentiality or availability, but the integrity of course content can be compromised, potentially disrupting course structure and user experience.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles to trusted users only and monitor for suspicious AJAX requests related to course content ordering. Avoid granting Subscriber-level or higher access to untrusted users. Follow updates from the vendor for an official patch or temporary mitigation.
CVE-2026-3371: CWE-639 Authorization Bypass Through User-Controlled Key in themeum Tutor LMS – eLearning and online course solution
Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler's `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Tutor LMS plugin for WordPress suffers from an Insecure Direct Object Reference vulnerability due to missing authorization checks in the save_course_content_order() private method. Although the AJAX handler tutor_update_course_content_order performs a can_user_manage() check in one branch, the method that processes the tutor_topics_lessons_sorting JSON data does not verify user ownership or capabilities. This flaw enables authenticated users with Subscriber-level privileges or higher to reorder lessons, detach them from topics, and reassign lessons across courses, including those owned by administrators, by sending crafted AJAX requests with manipulated topic and lesson IDs.
Potential Impact
The vulnerability allows unauthorized modification of course content order and lesson-topic assignments by authenticated users with low privileges. There is no impact on confidentiality or availability, but the integrity of course content can be compromised, potentially disrupting course structure and user experience.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles to trusted users only and monitor for suspicious AJAX requests related to course content ordering. Avoid granting Subscriber-level or higher access to untrusted users. Follow updates from the vendor for an official patch or temporary mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-02-27T22:04:08.540Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d9a5741cc7ad14da144113
Added to database: 4/11/2026, 1:35:48 AM
Last enriched: 4/11/2026, 1:51:26 AM
Last updated: 4/11/2026, 7:22:00 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.