CVE-2025-6680
📋 TL;DR
The Tutor LMS WordPress plugin up to version 3.8.3 contains an access control vulnerability that allows authenticated users with tutor-level permissions or higher to view assignments from courses they don't teach. This exposes potentially sensitive information contained in those assignments. Only WordPress sites using vulnerable Tutor LMS versions are affected.
💻 Affected Systems
- Tutor LMS - eLearning and online course solution WordPress plugin
📦 What is this software?
Tutor Lms by Themeum
⚠️ Risk & Real-World Impact
Worst Case
Malicious tutors could access and exfiltrate sensitive student data, intellectual property, or confidential course materials from other instructors' courses, leading to data breaches and privacy violations.
Likely Case
Curious or opportunistic tutors accidentally or intentionally viewing assignments from courses they shouldn't have access to, potentially seeing student submissions, grades, or instructor feedback.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized viewing only - no modification or deletion capabilities.
🎯 Exploit Status
Exploitation requires authenticated access with tutor-level permissions. The vulnerability is in the review.php template file where access controls are insufficient.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.8.4 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3382577/tutor/trunk/templates/dashboard/assignments/review.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Tutor LMS plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download latest version from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Temporary Access Restriction
allTemporarily restrict tutor-level users from accessing assignment review functionality until patch is applied
🧯 If You Can't Patch
- Immediately audit all tutor-level user accounts and review access logs for suspicious activity
- Implement additional monitoring on assignment access patterns and set up alerts for cross-course access attempts
🔍 How to Verify
Check if Vulnerable:
Check Tutor LMS plugin version in WordPress admin panel under Plugins > Installed PluginsCheck Version:
wp plugin list --name=tutor --field=versionVerify Fix Applied:
Verify plugin version is 3.8.4 or higher and test that tutors can only access assignments from courses they are assigned to teach📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns where tutor users access assignment IDs from courses they are not assigned to
- Multiple rapid requests to assignment review endpoints from single tutor account
Network Indicators:
- HTTP requests to /wp-content/plugins/tutor/templates/dashboard/assignments/review.php with parameters for non-assigned courses
SIEM Query:
source="wordpress_logs" AND (uri_path="/wp-content/plugins/tutor/templates/dashboard/assignments/review.php") AND user_role="tutor" | stats count by user_id, course_id