CVE-2025-13935
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-09

Last updated on: 2026-01-09

Assigner: Wordfence

Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. This makes it possible for authenticated attackers, with subscriber level access and above, to mark any course as completed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-09
Last Modified
2026-01-09
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13935
EUVD
EUVD-2026-1784
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
themeum tutor_lms to 3.9.2 (inc)
themeum tutor_lms 3.9.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Tutor LMS WordPress plugin allows authenticated users with subscriber-level access or higher to mark any course as completed without proper enrollment verification. The issue arises because the 'mark_course_complete' function lacks checks to confirm if the user is actually enrolled in the course, enabling unauthorized course completion. [1]

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to falsely mark courses as completed without actually taking or paying for them. This undermines the integrity of course completion records, potentially affecting certification validity, revenue, and trust in the eLearning platform. [1]

Detection Guidance

You can detect this vulnerability by monitoring for unauthorized AJAX calls to the 'mark_course_complete' function or enrollment actions without proper purchase verification. Specifically, look for AJAX requests attempting to mark courses as complete or enroll without purchase. Commands to detect such activity could include using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests to the Tutor LMS AJAX endpoints. For example, using tcpdump: `tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep 'mark_course_complete'` to capture suspicious requests. Additionally, reviewing WordPress logs or plugin logs for unauthorized course completion attempts can help identify exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to update the Tutor LMS plugin to version 3.9.4 or later, where the vulnerability is fixed by adding enrollment verification before allowing course completion or enrollment. This update ensures that users cannot mark courses as complete or enroll without purchasing them first. If updating immediately is not possible, restrict access to the AJAX endpoints related to course completion or enrollment to trusted users only, and monitor for suspicious activity. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13935. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart