CVE-2025-13679
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to enumerate order IDs and access sensitive personal information (PII) from Tutor LMS orders. The flaw exists in the get_order_by_id() function which lacks proper capability checks. All WordPress sites using Tutor LMS plugin versions up to 3.9.3 are affected.
💻 Affected Systems
- Tutor LMS – eLearning and online course solution WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could exfiltrate all student PII including names, emails, phone numbers, and billing addresses, leading to data breaches, identity theft, and regulatory compliance violations.
Likely Case
Malicious subscribers or compromised accounts would access and steal sensitive student data from the e-commerce system, potentially selling it or using it for phishing campaigns.
If Mitigated
With proper access controls and monitoring, only authorized administrators can access order data, and any unauthorized access attempts are detected and blocked.
🎯 Exploit Status
Exploitation requires authenticated access but only at the minimal Subscriber level, making it easy for attackers with compromised accounts or insider threats.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.4
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3422766/tutor/tags/3.9.4/ecommerce/OrderController.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Tutor LMS plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.9.4+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Restrict Subscriber Access
allTemporarily remove Subscriber role from all users or restrict their capabilities until patch is applied.
Use WordPress role management plugins or custom code to modify capabilities
Web Application Firewall Rule
allBlock access to vulnerable endpoints using WAF rules.
Add rule to block requests to /wp-admin/admin-ajax.php with action=tutor_get_order_by_id for non-admin users
🧯 If You Can't Patch
- Implement strict access controls to limit Subscriber role capabilities
- Monitor and audit all access to order data and admin-ajax.php endpoints
🔍 How to Verify
Check if Vulnerable:
Check Tutor LMS plugin version in WordPress admin panel under Plugins > Installed Plugins. If version is 3.9.3 or lower, you are vulnerable.Check Version:
wp plugin list --name=tutor --field=version (if WP-CLI installed) or check WordPress admin panelVerify Fix Applied:
After updating, verify version shows 3.9.4 or higher. Test with a Subscriber account that order data access is properly restricted.📡 Detection & Monitoring
Log Indicators:
- Multiple admin-ajax.php requests with action=tutor_get_order_by_id from non-admin users
- Unusual order ID enumeration patterns in access logs
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with suspicious order ID parameters
SIEM Query:
source="wordpress_access.log" AND uri="/wp-admin/admin-ajax.php" AND post_data="action=tutor_get_order_by_id" AND user_role!="administrator"