CVE-2026-3358

EPSS 0.37%
Veröffentlicht 11.04.2026 01:24:56
Zuletzt bearbeitet 24.04.2026 18:00:32
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Tutor LMS <= 3.9.7 - Missing Authorization to Authenticated (Subscriber+) Unauthorized Private Course Enrollment

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with Subscriber-level access or above to enroll in private courses by sending a crafted POST request with the target course ID. The enrollment record is created in the database and the private course title and enrollment status are exposed in the subscriber's dashboard, though WordPress core access control prevents the subscriber from viewing the actual course content (returns 404). Enrollment in private courses should be restricted to users with the `read_private_posts` capability.

Mögliche Gegenmaßnahme

Tutor LMS – eLearning and online course solution: Update to version 3.9.8, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 11

CNA 1 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerthemeum

≫

Produkt Tutor LMS – eLearning and online course solution

Default Statusunaffected

Version <= 3.9.7

Version 0

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt Tutor LMS – eLearning and online course solution

Version *-3.9.7

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.37%	0.29

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://www.wordfence.com/threat-intel/vulnerabilities/id/0c173356-7228-4253-bb28-2c2e11af76fd?source=cve

https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2066

https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L134

https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2053

https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2989

https://plugins.trac.wordpress.org/changeset?old_path=%2Ftutor/tags/3.9.7&new_path=%2Ftutor/tags/3.9.8

https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/classes/Course.php

https://www.wordfence.com/threat-intel/vulnerabilities/id/0c173356-7228-4253-bb28-2c2e11af76fd

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-3358

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-3358

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-3358

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-3358