CVE-2025-11564 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Tutor LMS plugin for WordPress, a widely used eLearning and online course management solution. The flaw exists in the verifyAndCreateOrderData function, which processes webhook requests related to payment verification. The plugin fails to perform proper capability checks when verifying webhook signatures, allowing unauthenticated attackers to submit forged webhook requests. By setting the payment_type parameter to 'recurring', attackers can bypass the payment verification mechanism and mark orders as paid without actual payment confirmation. This unauthorized modification of order data undermines the integrity of the payment system and could lead to fraudulent access to paid course content. The vulnerability affects all versions up to and including 3.8.3. The CVSS v3.1 base score is 5.3 (medium severity), with an attack vector of network (AV:N), no privileges required (PR:N), no user interaction (UI:N), and impact limited to integrity (I:L) without affecting confidentiality or availability. No public exploits have been reported yet, but the vulnerability poses a significant risk to organizations relying on Tutor LMS for monetized eLearning services. The root cause is the missing authorization check during webhook signature verification, which should ensure that only legitimate payment notifications are processed. Without this check, attackers can manipulate order statuses, potentially causing financial losses and undermining trust in the platform.

The primary impact of CVE-2025-11564 is the unauthorized modification of payment order data, allowing attackers to fraudulently mark orders as paid without actual payment. This compromises the integrity of the payment and order management system within Tutor LMS, potentially leading to revenue loss for organizations offering paid courses. Additionally, attackers could gain unauthorized access to premium course content, undermining the business model of eLearning providers. While confidentiality and availability are not directly affected, the integrity breach can damage organizational reputation and trust among customers. Organizations relying on Tutor LMS for monetized courses may face financial and operational disruptions. The ease of exploitation—requiring no authentication or user interaction—and the widespread use of WordPress and Tutor LMS increase the risk of exploitation. Although no known exploits are reported in the wild, the vulnerability's presence in all versions up to 3.8.3 means many installations remain at risk until patched or mitigated.

To mitigate CVE-2025-11564, organizations should immediately update Tutor LMS to a patched version once available from the vendor. In the absence of an official patch, implement strict validation of webhook requests by verifying signatures against known secrets and ensuring capability checks are enforced before processing payment status changes. Restrict webhook endpoints using IP whitelisting to trusted payment gateway IP addresses. Monitor order status changes and payment logs for anomalies indicative of fraudulent activity. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious webhook payloads, especially those with payment_type set to 'recurring' from untrusted sources. Conduct regular security audits of the LMS environment and educate administrators on recognizing signs of payment fraud. Finally, consider isolating the payment processing components and applying least privilege principles to minimize the impact of any unauthorized requests.