CVE-2025-13679
Unknown Unknown - Not Provided
Unauthorized Data Access in Tutor LMS via Missing Capability Check

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: Wordfence

Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13679
EUVD
EUVD-2026-1586
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
themeum tutor_lms to 3.9.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability can lead to unauthorized disclosure of personally identifiable information (PII) including student names, emails, phone numbers, and billing addresses. This exposure can result in privacy breaches, potential identity theft, and loss of trust from users of the eLearning platform. [1]

Executive Summary

This vulnerability in the Tutor LMS WordPress plugin allows authenticated users with Subscriber-level access or higher to bypass proper permission checks due to a missing capability check in the get_order_by_id() function. This flaw enables them to enumerate order IDs and access sensitive personal information such as student names, email addresses, phone numbers, and billing addresses without authorization. [1]

Compliance Impact

This vulnerability can negatively impact compliance with data protection regulations such as GDPR and HIPAA because it allows unauthorized access and exfiltration of sensitive personal data (PII). Such unauthorized disclosure may constitute a data breach under these regulations, potentially leading to legal penalties and the requirement to notify affected individuals. [1]

Detection Guidance

You can detect this vulnerability by checking if your Tutor LMS plugin version is 3.9.3 or earlier, as these versions lack proper capability checks on the get_order_by_id() function. To detect exploitation attempts, monitor AJAX requests to the 'tutor_order_details' endpoint, especially POST requests containing 'order_id' parameters from users with Subscriber-level access. There are no specific commands provided in the resources, but you can use network monitoring tools like Wireshark or tcpdump to filter for POST requests to admin-ajax.php with the action 'tutor_order_details'. Additionally, reviewing WordPress logs for unauthorized access attempts to this AJAX action may help. [1]

Mitigation Strategies

The immediate mitigation step is to update the Tutor LMS plugin to version 3.9.4 or later, where the vulnerability is fixed by replacing the get_order_by_id() method with ajax_get_order_details(), which includes proper nonce verification and user capability checks. Until you can update, restrict access to the AJAX endpoint 'tutor_order_details' to trusted users only, and monitor for suspicious activity related to order ID enumeration. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13679. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart