CVE-2025-13679
Unauthorized Data Access in Tutor LMS via Missing Capability Check
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| themeum | tutor_lms | to 3.9.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of personally identifiable information (PII) including student names, emails, phone numbers, and billing addresses. This exposure can result in privacy breaches, potential identity theft, and loss of trust from users of the eLearning platform. [1]
Can you explain this vulnerability to me?
This vulnerability in the Tutor LMS WordPress plugin allows authenticated users with Subscriber-level access or higher to bypass proper permission checks due to a missing capability check in the get_order_by_id() function. This flaw enables them to enumerate order IDs and access sensitive personal information such as student names, email addresses, phone numbers, and billing addresses without authorization. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively impact compliance with data protection regulations such as GDPR and HIPAA because it allows unauthorized access and exfiltration of sensitive personal data (PII). Such unauthorized disclosure may constitute a data breach under these regulations, potentially leading to legal penalties and the requirement to notify affected individuals. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if your Tutor LMS plugin version is 3.9.3 or earlier, as these versions lack proper capability checks on the get_order_by_id() function. To detect exploitation attempts, monitor AJAX requests to the 'tutor_order_details' endpoint, especially POST requests containing 'order_id' parameters from users with Subscriber-level access. There are no specific commands provided in the resources, but you can use network monitoring tools like Wireshark or tcpdump to filter for POST requests to admin-ajax.php with the action 'tutor_order_details'. Additionally, reviewing WordPress logs for unauthorized access attempts to this AJAX action may help. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Tutor LMS plugin to version 3.9.4 or later, where the vulnerability is fixed by replacing the get_order_by_id() method with ajax_get_order_details(), which includes proper nonce verification and user capability checks. Until you can update, restrict access to the AJAX endpoint 'tutor_order_details' to trusted users only, and monitor for suspicious activity related to order ID enumeration. [1]