CVE-2025-13628
📋 TL;DR
This vulnerability allows authenticated WordPress users with subscriber-level access or higher to modify and delete coupon data in Tutor LMS. Attackers can delete, activate, deactivate, or trash arbitrary coupons without proper authorization. All WordPress sites using Tutor LMS up to version 3.9.3 are affected.
💻 Affected Systems
- Tutor LMS – eLearning and online course solution for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious users could delete all coupons, disrupting e-commerce functionality and causing financial loss through coupon abuse or unauthorized modifications.
Likely Case
Subscribers or low-privilege users deleting or modifying coupons they shouldn't have access to, potentially causing minor business disruption.
If Mitigated
With proper user role management and monitoring, impact is limited to authorized coupon management actions only.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. Subscriber is the lowest WordPress user role.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.4 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/ecommerce/CouponController.php
Restart Required: No
Instructions:
1. Update Tutor LMS plugin to version 3.9.4 or later via WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Tutor LMS and click 'Update Now'. 4. Verify update completes successfully.
🔧 Temporary Workarounds
Restrict User Roles
allTemporarily restrict creation of new subscriber accounts or review existing subscriber accounts for suspicious activity.
Disable Coupon Functionality
allTemporarily disable coupon functionality in Tutor LMS settings if not critically needed.
🧯 If You Can't Patch
- Implement strict user role management and audit all subscriber-level accounts
- Enable detailed logging of coupon-related actions and monitor for unauthorized changes
🔍 How to Verify
Check if Vulnerable:
Check Tutor LMS plugin version in WordPress admin panel under Plugins > Installed Plugins. If version is 3.9.3 or lower, you are vulnerable.Check Version:
wp plugin list --name=tutor --field=version (if WP-CLI installed) or check WordPress admin panelVerify Fix Applied:
After updating, verify Tutor LMS version shows 3.9.4 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual coupon deletion/modification events from subscriber-level users
- Bulk coupon operations from non-admin users
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action parameters related to coupon operations
SIEM Query:
source="wordpress.log" AND ("coupon_permanent_delete" OR "bulk_action_handler") AND user_role="subscriber"