CVE-2025-13934
📋 TL;DR
This vulnerability allows authenticated WordPress users with subscriber-level access or higher to enroll themselves in any Tutor LMS course without paying. It affects all Tutor LMS plugin versions up to and including 3.9.3 on WordPress sites using this e-learning plugin.
💻 Affected Systems
- Tutor LMS – eLearning and online course solution WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could access all paid course content without payment, potentially causing significant revenue loss and unauthorized access to proprietary educational materials.
Likely Case
Subscribers or low-privilege users enroll in paid courses they shouldn't have access to, bypassing payment systems and potentially accessing premium content.
If Mitigated
With proper access controls and monitoring, unauthorized enrollments can be detected and reversed before significant damage occurs.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once authenticated. The vulnerability is publicly documented with code references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.4 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/classes/Course.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Tutor LMS plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.9.4+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Temporarily disable course enrollment
allDisable the vulnerable AJAX endpoint by removing or modifying the course_enrollment() function
Edit wp-content/plugins/tutor/classes/Course.php and comment out or remove the vulnerable course_enrollment() AJAX handler
Restrict user registration
allTemporarily disable new user registration to prevent new attackers from gaining subscriber access
In WordPress admin: Settings → General → uncheck 'Anyone can register'
🧯 If You Can't Patch
- Implement strict monitoring of course enrollment logs and user activity
- Temporarily convert all paid courses to private/draft status to prevent unauthorized access
🔍 How to Verify
Check if Vulnerable:
Check Tutor LMS plugin version in WordPress admin: Plugins → Installed Plugins → Tutor LMS. If version is 3.9.3 or lower, you are vulnerable.Check Version:
wp plugin list --name=tutor --field=version (if WP-CLI installed) or check WordPress admin plugins pageVerify Fix Applied:
After updating, verify version is 3.9.4 or higher. Test course enrollment functionality with a subscriber account to ensure proper payment validation occurs.📡 Detection & Monitoring
Log Indicators:
- Unexpected course enrollments without corresponding payment transactions
- Multiple course enrollments from single user in short time period
- Subscriber-level users accessing premium course content
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=tutor_course_enrollment
- Unusual enrollment patterns outside normal business hours
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "tutor_course_enrollment" AND NOT "payment_success"