CVE-2025-11564 – This vulnerability in Tutor LMS WordPress plugi... (How to Fix)

Q: What is the severity of CVE-2025-11564?

CVE-2025-11564 has a CVSS score of 5.3 (MEDIUM). This vulnerability in Tutor LMS WordPress plugin allows unauthenticated attackers to bypass payment verification by forging webhook requests with 'recurring' payment_type. Attackers can mark orders as paid without actual payment, affecting all WordPress sites using Tutor LMS up to version 3.8.3.

📋 TL;DR

This vulnerability in Tutor LMS WordPress plugin allows unauthenticated attackers to bypass payment verification by forging webhook requests with 'recurring' payment_type. Attackers can mark orders as paid without actual payment, affecting all WordPress sites using Tutor LMS up to version 3.8.3.

💻 Affected Systems

Products:

Tutor LMS – eLearning and online course solution for WordPress

Versions: All versions up to and including 3.8.3

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects sites using PayPal payment gateway with recurring payments enabled.

📦 What is this software?

Tutor Lms by Themeum

View all CVEs affecting Tutor Lms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could mark all orders as paid, causing complete revenue loss and allowing unauthorized access to paid courses without payment.

🟠

Likely Case

Attackers exploit this to access paid courses for free, causing direct revenue loss and undermining course monetization.

🟢

If Mitigated

With proper webhook validation and authentication, impact is limited to attempted attacks that fail due to proper controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting HTTP requests to the vulnerable webhook endpoint with specific parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.8.4 or later

Vendor Advisory: https://wordpress.org/plugins/tutor/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Tutor LMS and click 'Update Now'. 4. Verify update to version 3.8.4 or higher.

🔧 Temporary Workarounds

Disable PayPal recurring payments

all

Temporarily disable PayPal recurring payment option in Tutor LMS settings

Webhook endpoint restriction

all

Restrict access to the vulnerable webhook endpoint using web server rules or WAF

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block suspicious webhook requests
Monitor payment logs for orders marked as paid without corresponding payment transactions

🔍 How to Verify

Check if Vulnerable:

Check Tutor LMS plugin version in WordPress admin panel under Plugins → Installed Plugins

Check Version:

wp plugin list --name=tutor --field=version

Verify Fix Applied:

Verify Tutor LMS version is 3.8.4 or higher after update

📡 Detection & Monitoring

Log Indicators:

Webhook requests with payment_type=recurring from unexpected IPs
Orders marked as paid without corresponding payment gateway transactions

Network Indicators:

HTTP POST requests to /wp-json/tutor/v1/paypal-webhook with recurring payment_type

SIEM Query:

source="web_server" AND uri_path="/wp-json/tutor/v1/paypal-webhook" AND http_method="POST" AND form_data.payment_type="recurring"

📊 Metadata

CVE ID: CVE-2025-11564

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

EPSS Score: 0.14% exploit probability (34.2th percentile)

Published: October 25, 2025

Last Updated: December 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11564, you might also want to check these: