CVE-2025-13935
📋 TL;DR
The Tutor LMS WordPress plugin has an authorization bypass vulnerability that allows authenticated users with subscriber-level access or higher to mark any course as completed without proper enrollment verification. This affects all Tutor LMS plugin versions up to and including 3.9.2, potentially compromising course completion integrity and certification systems.
💻 Affected Systems
- Tutor LMS – eLearning and online course solution for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could mass-complete courses to obtain fraudulent certifications, bypass paid course requirements, or manipulate learning progress tracking systems, potentially leading to credential fraud and reputational damage.
Likely Case
Individual users exploiting the vulnerability to complete courses they haven't actually taken, potentially bypassing course prerequisites or obtaining completion certificates without proper learning.
If Mitigated
With proper access controls and monitoring, impact is limited to individual user account abuse rather than system-wide compromise.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once authenticated. The vulnerability is publicly documented with code references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.9.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/classes/Course.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Tutor LMS plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.9.3+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Temporarily disable course completion
allDisable the course completion functionality until patched
Restrict subscriber access
allTemporarily downgrade subscriber roles or restrict access to course completion features
🧯 If You Can't Patch
- Implement additional server-side validation for course completion requests
- Monitor and audit course completion logs for suspicious activity patterns
🔍 How to Verify
Check if Vulnerable:
Check Tutor LMS plugin version in WordPress admin panel under Plugins → Installed Plugins. If version is 3.9.2 or lower, system is vulnerable.Check Version:
wp plugin list --name=tutor --field=versionVerify Fix Applied:
After updating, verify version is 3.9.3 or higher. Test course completion functionality with a test subscriber account to ensure proper enrollment verification occurs.📡 Detection & Monitoring
Log Indicators:
- Multiple course completion events from single user in short timeframe
- Course completions without corresponding enrollment or progress records
- Subscriber-level users completing courses they shouldn't have access to
Network Indicators:
- POST requests to course completion endpoints without proper enrollment verification
SIEM Query:
source="wordpress" AND (event="course_completed" OR event="tutor_course_complete") AND user_role="subscriber"