CVE-2026-3371 MEDIUM

CVE-2026-3371: Tutor LMS <= 3.9.7 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Course Content Modification

Vendor Themeum
Product Tutor LMS – eLearning and online course solution
Weakness CWE-639 · IDOR
Published April 11, 2026
Last update April 13, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authorization checks in the `save_course_content_order()` private method, which is called unconditionally by the `tutor_update_course_content_order` AJAX handler. While the handler's `content_parent` branch includes a `can_user_manage()` check, the `save_course_content_order()` call processes attacker-supplied `tutor_topics_lessons_sorting` JSON without any ownership or capability verification. This makes it possible for authenticated attackers with Subscriber-level access or above to detach lessons from topics, reorder course content, and reassign lessons between topics in any course, including admin-owned courses, by sending a crafted AJAX request with manipulated topic and lesson IDs.

Explanation of Vulnerability in Simple Terms

02Summary

Tutor LMS versions up to 3.9.7 contain an integrity vulnerability allowing authenticated users to modify data they should not have access to. The flaw requires a valid user account and network access but no additional user interaction. The impact is limited to data modification without affecting confidentiality or system availability.

What an attacker can do

03Attacker Capabilities

Modify data within the Tutor LMS system that should be restricted from their user role.

Potential impact on your site

04Site Impact

Authenticated users may alter course content, grades, or other protected data depending on their role.

Conditions required to exploit

05Prerequisites

Attacker must have a valid Tutor LMS user account with low-level privileges.

Key dates

06Disclosure timeline

April 11, 2026 CVE published
April 13, 2026 Record updated

Related vulnerabilities

08Related CVE