CVE-2025-13679 Overview
The Tutor LMS – eLearning and online course solution plugin for WordPress contains a broken access control vulnerability due to a missing capability check on the get_order_by_id() function. This flaw affects all versions up to and including 3.9.3, allowing authenticated attackers with Subscriber-level access or above to enumerate order IDs and exfiltrate sensitive personally identifiable information (PII), including student names, email addresses, phone numbers, and billing addresses.
Critical Impact
Authenticated attackers with minimal privileges (Subscriber-level) can access and exfiltrate sensitive student PII including names, emails, phone numbers, and billing addresses through unauthorized order data access.
Affected Products
- Tutor LMS WordPress Plugin versions up to and including 3.9.3
- WordPress sites using vulnerable Tutor LMS installations
- eLearning platforms built on Tutor LMS with ecommerce functionality enabled
Discovery Timeline
- 2026-01-08 - CVE CVE-2025-13679 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-13679
Vulnerability Analysis
This vulnerability is classified under CWE-862 (Missing Authorization), a common security flaw where an application fails to perform authorization checks before allowing access to protected functionality. In the context of Tutor LMS, the get_order_by_id() function within the OrderController.php file does not verify whether the requesting user has appropriate permissions to view order details.
The vulnerability enables authenticated users with even the lowest privilege level (Subscriber) to access order records that should be restricted to administrators or the original customer. This represents a significant broken access control issue that exposes sensitive customer data including full names, email addresses, phone numbers, and complete billing addresses.
Root Cause
The root cause of this vulnerability is the absence of a capability check in the get_order_by_id() function. WordPress plugins should implement proper authorization using functions like current_user_can() to verify that the requesting user has appropriate permissions before returning sensitive data. The vulnerable code path allows any authenticated user to query order information by simply providing an order ID, without validating whether they have the authority to access that specific order record.
Attack Vector
The attack is network-based and requires only low-privilege authenticated access to the WordPress site. An attacker would need to:
- Register or obtain a Subscriber-level account on the target WordPress site
- Authenticate to the WordPress installation
- Send requests to the get_order_by_id() endpoint with enumerated order IDs
- Harvest the returned PII data from each successful request
The attack requires no user interaction and can be automated to systematically enumerate and extract all order records from the database. Since order IDs are typically sequential integers, an attacker can easily iterate through possible values to discover valid orders.
Detection Methods for CVE-2025-13679
Indicators of Compromise
- Unusual volume of requests to Tutor LMS order-related API endpoints from low-privilege user accounts
- Sequential or enumerated order ID queries from a single user session
- Subscriber-level accounts accessing administrative order data
- Unexpected data export patterns or bulk queries against order records
Detection Strategies
- Monitor WordPress audit logs for Subscriber-level users accessing order controller endpoints
- Implement rate limiting detection for rapid sequential API requests
- Alert on access patterns where users query orders they did not create
- Review web server access logs for enumeration patterns against ecommerce endpoints
Monitoring Recommendations
- Enable WordPress activity logging with plugins that track API access
- Configure web application firewall (WAF) rules to detect order ID enumeration attempts
- Set up alerts for bulk data access patterns from non-administrative accounts
- Regularly audit user access logs for anomalous behavior patterns
How to Mitigate CVE-2025-13679
Immediate Actions Required
- Update Tutor LMS plugin to version 3.9.4 or later immediately
- Audit access logs to determine if the vulnerability was exploited prior to patching
- Review user accounts with Subscriber or higher access for suspicious activity
- Consider temporarily disabling the Tutor LMS ecommerce functionality until patched
Patch Information
The vulnerability has been addressed in Tutor LMS version 3.9.4. The fix implements proper capability checks in the OrderController.php file to ensure that only authorized users can access order data. The specific changes can be reviewed in the WordPress plugin changeset 3422766. Additional technical details are available in the Wordfence vulnerability report.
Workarounds
- If immediate update is not possible, restrict Subscriber registrations until the patch is applied
- Implement additional authorization controls at the web server or WAF level
- Disable the ecommerce module functionality temporarily if not critical to operations
- Monitor for and block suspicious enumeration patterns through server-side rate limiting
# WordPress CLI command to update Tutor LMS plugin
wp plugin update tutor --version=3.9.4
# Verify the installed version after update
wp plugin get tutor --field=version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
