CVE-2026-3360
Published: 10 April 2026
Summary
CVE-2026-3360 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations, directly addressing the missing authentication and authorization checks in pay_incomplete_order() that allow IDOR exploitation.
SI-10 requires validation of attacker-controlled inputs like order_id at system entry points, preventing unauthorized access to and modification of other users' order data.
AC-6 enforces least privilege, ensuring the pay_incomplete_order() function requires proper user authentication and ownership before updating billing profiles.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The IDOR vuln in public-facing WordPress plugin enables remote unauth exploitation of the app (T1190) and direct unauthorized modification of stored user profile data (T1565.001).
NVD Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to an Insecure Direct Object Reference in all versions up to, and including, 3.9.7. This is due to missing authentication and authorization checks in the `pay_incomplete_order()`…
more
function. The function accepts an attacker-controlled `order_id` parameter and uses it to look up order data, then writes billing fields to the order owner's profile (`$order_data->user_id`) without verifying the requester's identity or ownership. Because the Tutor nonce (`_tutor_nonce`) is exposed on public frontend pages, this makes it possible for unauthenticated attackers to overwrite the billing profile (name, email, phone, address) of any user who has an incomplete manual order, by sending a crafted POST request with a guessed or enumerated `order_id`.
Deeper analysisAI
CVE-2026-3360 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-862 (Missing Authorization), affecting the Tutor LMS – eLearning and online course solution plugin for WordPress in all versions up to and including 3.9.7. The issue stems from missing authentication and authorization checks in the `pay_incomplete_order()` function within the plugin's ecommerce CheckoutController. This function accepts an attacker-controlled `order_id` parameter, retrieves the corresponding order data, and updates billing fields on the order owner's user profile (`$order_data->user_id`) without verifying the requester's identity or ownership. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high integrity impact with no confidentiality or availability effects.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity by sending a crafted POST request containing a guessed or enumerated `order_id` for any user who has an incomplete manual order. The Tutor nonce (`_tutor_nonce`), which is exposed on public frontend pages, enables attackers to bypass basic protections and successfully overwrite the target user's billing profile, including name, email, phone, and address fields. This allows arbitrary modification of user account details without the victim's knowledge or consent.
References to the WordPress plugin trac repository highlight the vulnerable code locations, such as lines 563 in Tutor.php, lines 1059 and 108 in ecommerce/CheckoutController.php for version 3.9.7, and the trunk version at line 1059. A patch is indicated in changeset 3496394 applied to trunk/ecommerce/CheckoutController.php, suggesting mitigation through updating to a fixed version beyond 3.9.7.
Details
- CWE(s)