CVE-2025-11564 is a vulnerability identified in the Tutor LMS plugin for WordPress, a widely used eLearning and online course management solution. The root cause is a missing authorization (CWE-862) in the 'verifyAndCreateOrderData' function, which processes webhook requests related to payment verification. Specifically, the plugin fails to properly check the capabilities or permissions of the entity sending webhook requests before marking orders as paid. This allows unauthenticated attackers to craft and submit forged webhook requests with the 'payment_type' parameter set to 'recurring', effectively bypassing payment verification mechanisms. As a result, attackers can manipulate order statuses and mark them as paid without any actual payment transaction occurring. The vulnerability affects all versions up to and including 3.8.3 of Tutor LMS. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts only integrity (I:L) without affecting confidentiality or availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. However, the vulnerability poses a significant risk to the integrity of financial transactions processed through the plugin, potentially enabling fraud and financial loss. The vulnerability is particularly concerning for organizations relying on Tutor LMS for managing paid courses and subscriptions, as attackers could gain unauthorized access to course content or services by bypassing payment controls.

For European organizations using Tutor LMS, this vulnerability could lead to unauthorized access to paid course content without payment, resulting in direct financial losses and undermining trust in the eLearning platform. The integrity of payment data is compromised, which may also affect accounting and compliance processes. Although confidentiality and availability are not impacted, the ability to bypass payment verification can facilitate fraud, revenue leakage, and potential reputational damage. Organizations offering subscription-based or recurring payment models are particularly vulnerable, as attackers can exploit the 'recurring' payment_type parameter to gain prolonged unauthorized access. This may also affect contractual agreements with content providers or instructors. In regulated industries or institutions, such as universities or professional training providers in Europe, failure to secure payment processes could lead to compliance issues with financial and data protection regulations. The medium severity score suggests that while the vulnerability is not critical, it should be addressed promptly to prevent exploitation and financial harm.

1. Monitor for updates from Themeum and apply official patches as soon as they become available to fix the missing authorization check. 2. In the absence of an immediate patch, implement additional webhook validation mechanisms outside the plugin, such as verifying webhook signatures or IP whitelisting at the web server or firewall level. 3. Restrict webhook endpoints to accept requests only from trusted payment gateway IP addresses. 4. Audit and monitor order status changes and payment records for anomalies or unexpected 'paid' statuses, especially those marked as 'recurring'. 5. Consider implementing multi-factor verification for payment confirmation workflows within the LMS or integrating third-party payment verification services. 6. Educate administrators to review plugin permissions and disable or restrict unused webhook functionalities. 7. Regularly backup LMS data and maintain logs to support forensic analysis in case of suspected exploitation. 8. Evaluate alternative LMS plugins or solutions with stronger security postures if patching is delayed or unavailable. 9. Engage with payment gateway providers to ensure webhook security best practices are followed. 10. Conduct penetration testing focused on payment workflows to identify any other potential weaknesses.