CVE-2026-3371: CWE-639 Authorization Bypass Through User-Controlled Key in themeum Tutor LMS – eLearning and online course solution
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler's `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs.
AI Analysis
Technical Summary
The Tutor LMS plugin for WordPress contains an Insecure Direct Object Reference vulnerability (CWE-639) due to missing authorization checks in the save_course_content_order() method. This method is invoked by the tutor_update_course_content_order AJAX handler without verifying user ownership or capability over the course content being manipulated. Although some authorization checks exist in other branches of the handler, the critical processing of the attacker-controlled tutor_topics_lessons_sorting JSON lacks such checks. Consequently, authenticated users with minimal privileges can reorder course content and reassign lessons across any course, including those owned by administrators. This vulnerability affects all versions up to and including 3.9.7. No patch or official remediation has been published as of the current data.
Potential Impact
An attacker with Subscriber-level or higher access can manipulate course content order and lesson assignments across any course, including those owned by administrators. This can lead to unauthorized modification of course structure and content organization, potentially disrupting course delivery and integrity. There is no indication of data disclosure or system compromise. The impact is limited to integrity of course content within the affected LMS plugin.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles and permissions to trusted users only and monitor for suspicious activity related to course content reordering. Avoid granting Subscriber-level or higher access to untrusted users. Follow updates from the vendor for a forthcoming patch or official mitigation instructions.
CVE-2026-3371: CWE-639 Authorization Bypass Through User-Controlled Key in themeum Tutor LMS – eLearning and online course solution
Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler's `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Tutor LMS plugin for WordPress contains an Insecure Direct Object Reference vulnerability (CWE-639) due to missing authorization checks in the save_course_content_order() method. This method is invoked by the tutor_update_course_content_order AJAX handler without verifying user ownership or capability over the course content being manipulated. Although some authorization checks exist in other branches of the handler, the critical processing of the attacker-controlled tutor_topics_lessons_sorting JSON lacks such checks. Consequently, authenticated users with minimal privileges can reorder course content and reassign lessons across any course, including those owned by administrators. This vulnerability affects all versions up to and including 3.9.7. No patch or official remediation has been published as of the current data.
Potential Impact
An attacker with Subscriber-level or higher access can manipulate course content order and lesson assignments across any course, including those owned by administrators. This can lead to unauthorized modification of course structure and content organization, potentially disrupting course delivery and integrity. There is no indication of data disclosure or system compromise. The impact is limited to integrity of course content within the affected LMS plugin.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict user roles and permissions to trusted users only and monitor for suspicious activity related to course content reordering. Avoid granting Subscriber-level or higher access to untrusted users. Follow updates from the vendor for a forthcoming patch or official mitigation instructions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-02-27T22:04:08.540Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d9a5741cc7ad14da144113
Added to database: 4/11/2026, 1:35:48 AM
Last enriched: 4/18/2026, 2:37:30 PM
Last updated: 5/26/2026, 1:37:43 PM
Views: 53
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.