CVE-2025-13935
BaseFortify
Publication date: 2026-01-09
Last updated on: 2026-01-09
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| themeum | tutor_lms | to 3.9.2 (inc) |
| themeum | tutor_lms | 3.9.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Tutor LMS WordPress plugin allows authenticated users with subscriber-level access or higher to mark any course as completed without proper enrollment verification. The issue arises because the 'mark_course_complete' function lacks checks to confirm if the user is actually enrolled in the course, enabling unauthorized course completion. [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to falsely mark courses as completed without actually taking or paying for them. This undermines the integrity of course completion records, potentially affecting certification validity, revenue, and trust in the eLearning platform. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by monitoring for unauthorized AJAX calls to the 'mark_course_complete' function or enrollment actions without proper purchase verification. Specifically, look for AJAX requests attempting to mark courses as complete or enroll without purchase. Commands to detect such activity could include using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests to the Tutor LMS AJAX endpoints. For example, using tcpdump: `tcpdump -i any -A -s 0 'tcp port 80 or tcp port 443' | grep 'mark_course_complete'` to capture suspicious requests. Additionally, reviewing WordPress logs or plugin logs for unauthorized course completion attempts can help identify exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Tutor LMS plugin to version 3.9.4 or later, where the vulnerability is fixed by adding enrollment verification before allowing course completion or enrollment. This update ensures that users cannot mark courses as complete or enroll without purchasing them first. If updating immediately is not possible, restrict access to the AJAX endpoints related to course completion or enrollment to trusted users only, and monitor for suspicious activity. [1]