Tutor LMS Insecure Direct Object Reference Vulnerability Allowing Unauthenticated Overwrite of Billing Profiles

A vulnerability exists in the Tutor LMS WordPress plugin, specifically in versions up to and including 3.9.7. The issue is an Insecure Direct Object Reference (IDOR) that arises from inadequate authentication and authorization checks in the 'pay_incomplete_order()' function. This function allows unauthenticated users to manipulate the 'order_id' parameter to access and modify order data. As a result, attackers can overwrite the billing information (including name, email, phone, and address) of any user with an incomplete manual order by sending a crafted POST request with a guessed or enumerated 'order_id'. The vulnerability is exacerbated by the exposure of the Tutor nonce on public frontend pages, allowing for unauthorized modifications to user profiles.

Impact

Exploitation of this vulnerability allows for unauthorized users to overwrite the billing information of any user with an incomplete manual order, potentially leading to misuse of personal data and disruption of user accounts.

Reproduction

To reproduce this vulnerability, send a POST request to the 'pay_incomplete_order' endpoint with a guessed or enumerated 'order_id' parameter. Ensure that the Tutor nonce is not included, as the absence of this verification is what allows the request to be processed. This can be done using a tool like Postman or through a custom script that automates the process of guessing 'order_id' values. Monitor the response to confirm that the billing information has been successfully overwritten.

Remediation

Users are advised to update the Tutor LMS plugin to version 3.9.8 or later, where this vulnerability has been patched.