CVE-2025-13934
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-09

Last updated on: 2026-01-09

Assigner: Wordfence

Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX handler. This makes it possible for authenticated attackers, with subscriber level access and above, to enroll themselves in any course without going through the proper purchase flow.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-09
Last Modified
2026-01-09
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13934
EUVD
EUVD-2026-1779
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
unknown_vendor tutor_lms to 3.9.3 (inc)
unknown_vendor tutor_lms 3.9.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Tutor LMS WordPress plugin allows authenticated users with subscriber-level access or higher to enroll themselves in any course without paying. This happens because the plugin's AJAX handler for course enrollment lacks proper capability checks and validation to confirm if the user has purchased the course. As a result, users can bypass the purchase process and gain unauthorized access to paid courses. [2]

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to access paid courses without payment, potentially leading to revenue loss. It undermines the intended access controls of the eLearning platform, allowing users to bypass purchase requirements and enroll in courses freely, which can affect the business model and content protection. [2]

Detection Guidance

You can detect this vulnerability by monitoring AJAX requests to the `course_enrollment()` handler in the Tutor LMS plugin. Look for unauthorized enrollment attempts where subscriber-level users enroll in courses without purchase validation. Specifically, inspect network traffic or server logs for AJAX calls attempting course enrollment without proper purchase checks. Commands to assist detection might include using tools like curl or wget to simulate enrollment requests, or using network monitoring tools (e.g., tcpdump, Wireshark) to capture suspicious AJAX POST requests to the enrollment endpoint. However, no specific commands are provided in the resources. [2]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Tutor LMS plugin to version 3.9.4 or later, where the vulnerability is fixed. The fix includes adding a verification step in the AJAX enrollment handler to check if the course is purchasable and whether the user is already enrolled, preventing unauthorized enrollment without purchase. Until the update is applied, consider restricting AJAX access to the enrollment handler or limiting subscriber-level user permissions as a temporary measure. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13934. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart