CVE-2025-13679 — Missing Authorization in Tutor LMS Elearning AND Online Course Solution

CWE-862 — Missing Authorization4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.1%

top 84.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Themeum Tutor LMS Elearning AND Online Course Solution

Timeline

PublishedJan 8

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages1 packages

▶CVEListV5themeum/tutor_lms_elearning_and_online_course_solution3.9.3

🔴Vulnerability Details

GHSA

GHSA-3wv2-22p2-9vr8: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability che↗2026-01-08

▶

CVEList

Tutor LMS <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via tutor_order_details↗2026-01-08

▶

🕵️Threat Intelligence

Wiz

CVE-2025-13679 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶