CVE-2025-13628
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-01-09
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| themeum | tutor_lms | to 3.9.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Tutor LMS WordPress plugin allows authenticated users with subscriber level access or higher to modify or delete coupon data without proper authorization. This happens because the plugin's 'bulk_action_handler' and 'coupon_permanent_delete' functions lack adequate capability checks, enabling unauthorized deletion, activation, deactivation, or trashing of coupons. [2]
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized modification or deletion of coupon data in the Tutor LMS plugin. Attackers with low-level authenticated access can delete or alter coupons, potentially causing financial loss, disruption of promotional campaigns, or damage to business operations relying on coupon functionality.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update the Tutor LMS plugin to version 3.9.4 or later, which includes improved capability checks in the 'bulk_action_handler' function and nonce verification to prevent unauthorized coupon modifications. This update replaces the previous direct capability check with a more robust permission verification method and adds CSRF protection, effectively addressing the vulnerability. [2]