{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3358", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-27T18:34:05.013Z", "datePublished": "2026-04-11T01:24:56.945Z", "dateUpdated": "2026-04-13T15:15:08.860Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-11T01:24:56.945Z"}, "affected": [{"vendor": "themeum", "product": "Tutor LMS \u2013 eLearning and online course solution", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.9.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with Subscriber-level access or above to enroll in private courses by sending a crafted POST request with the target course ID. The enrollment record is created in the database and the private course title and enrollment status are exposed in the subscriber's dashboard, though WordPress core access control prevents the subscriber from viewing the actual course content (returns 404). Enrollment in private courses should be restricted to users with the `read_private_posts` capability."}], "title": "Tutor LMS <= 3.9.7 - Missing Authorization to Authenticated (Subscriber+) Unauthorized Private Course Enrollment", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c173356-7228-4253-bb28-2c2e11af76fd?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2066"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L134"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2053"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2989"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Ftutor/tags/3.9.7&new_path=%2Ftutor/tags/3.9.8"}, {"url": "https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/classes/Course.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Mohammad Amin Hajian"}], "timeline": [{"time": "2026-02-27T18:49:18.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-10T11:46:32.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3358", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:09:07.243718Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:15:08.860Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3358", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T15:09:07.243718Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T15:11:43.078Z"}}], "cna": {"title": "Tutor LMS <= 3.9.7 - Missing Authorization to Authenticated (Subscriber+) Unauthorized Private Course Enrollment", "credits": [{"lang": "en", "type": "finder", "value": "Mohammad Amin Hajian"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "themeum", "product": "Tutor LMS \u2013 eLearning and online course solution", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.9.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-27T18:49:18.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-10T11:46:32.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c173356-7228-4253-bb28-2c2e11af76fd?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2066"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L134"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2053"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2989"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Ftutor/tags/3.9.7&new_path=%2Ftutor/tags/3.9.8"}, {"url": "https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/classes/Course.php"}], "descriptions": [{"lang": "en", "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with Subscriber-level access or above to enroll in private courses by sending a crafted POST request with the target course ID. The enrollment record is created in the database and the private course title and enrollment status are exposed in the subscriber's dashboard, though WordPress core access control prevents the subscriber from viewing the actual course content (returns 404). Enrollment in private courses should be restricted to users with the `read_private_posts` capability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-11T01:24:56.945Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3358", "state": "PUBLISHED", "dateUpdated": "2026-04-13T15:15:08.860Z", "dateReserved": "2026-02-27T18:34:05.013Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-11T01:24:56.945Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with Subscriber-level access or above to enroll in private courses by sending a crafted POST request with the target course ID. The enrollment record is created in the database and the private course title and enrollment status are exposed in the subscriber's dashboard, though WordPress core access control prevents the subscriber from viewing the actual course content (returns 404). Enrollment in private courses should be restricted to users with the `read_private_posts` capability."}], "id": "CVE-2026-3358", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-11T02:16:01.770", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L134"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2066"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2053"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2989"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3496394/tutor/trunk/classes/Course.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Ftutor/tags/3.9.7&new_path=%2Ftutor/tags/3.9.8"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c173356-7228-4253-bb28-2c2e11af76fd?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.9.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tutor LMS \u2013 eLearning and online course solution", "source": "cna", "vendor": "themeum"}, "product": "tutor_lms_\u2013_elearning_and_online_course_solution", "vendor": "themeum"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-11T02:51:25.041366+00:00", "value": {"mitigation_remediation": ["Upgrade Tutor LMS to version 3.9.8 or later, which restores private post_status validation on enrollment endpoints.", "If an immediate upgrade is not feasible, add a custom code snippet to your theme\u2019s functions.php or a site\u2011specific plugin that hooks into the enrollment process and aborts enrollment requests for users lacking the read_private_posts capability.", "Verify that private courses no longer appear in subscriber dashboards after the upgrade or custom restriction, and monitor for unauthorized enrollment attempts."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Private Course Enrollment"}, "threat_synthesis": {"affected_systems": "All WordPress sites that use the Tutor LMS plugin version 3.9.7 or earlier are affected. The plugin is distributed by themeum and is commonly installed on eLearning WordPress sites. Sites that have not upgraded beyond 3.9.7 retain the vulnerability and may unintentionally allow subscriber\u2011level users to enroll in private courses.", "description_and_impact": "The Tutor LMS plugin for WordPress contains a flaw that permits any authenticated user with Subscriber or higher role to enroll in courses marked as private. The enroll_now() and course_enrollment() functions validate the nonce, authentication, and whether the course is purchasable, but omit a check for the course\u2019s private post_status. Consequently, a crafted POST request with the target course ID creates an enrollment record in the database, and the subscriber can view the private course title and enrollment status in their dashboard. Although WordPress core blocks access to the actual content, the exposed metadata reveals private course existence, leading to privacy leakage.", "risk_and_exploitability": "The CVSS score of 5.4 indicates medium severity. Any authenticated user can exploit the flaw by sending a simple POST request to the enrollment endpoint, requiring only basic knowledge of HTTP methods and the target course ID. No elevated privileges or complex exploits are necessary. The absence of an EPSS score and the lack of inclusion in the CISA KEV catalog suggest that exploitation is not yet widespread, but the easy accessibility of the vulnerability demands prompt remediation."}}}}, "created": "2026-04-13T12:42:03.165829+00:00", "updated": "2026-04-13T12:56:47.647578+00:00", "vendors": ["themeum", "themeum$PRODUCT$tutor_lms_\u2013_elearning_and_online_course_solution", "wordpress", "wordpress$PRODUCT$wordpress"]}