CVE-2025-13628 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Tutor LMS plugin for WordPress, a popular e-learning and online course management solution. The issue arises from the absence of proper capability checks in two key functions: 'bulk_action_handler' and 'coupon_permanent_delete'. These functions handle bulk operations and permanent deletion of coupons, respectively. Because the plugin does not verify whether the authenticated user has the necessary permissions before allowing these actions, any user with subscriber-level access or higher can manipulate coupon data arbitrarily. This includes deleting, activating, deactivating, or trashing coupons without authorization. The vulnerability affects all versions up to and including 3.9.3. The CVSS v3.1 score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, and low privileges (authenticated user), but does not impact confidentiality or availability. No user interaction is required beyond authentication. Although no exploits are currently known in the wild, the vulnerability poses a risk to the integrity of coupon data, potentially allowing attackers to disrupt promotional campaigns or cause financial discrepancies. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for interim mitigations.

The primary impact of this vulnerability is on data integrity within the Tutor LMS environment. Attackers with subscriber-level access can manipulate coupon data, which could lead to unauthorized coupon deletions or activations, potentially causing financial losses or disruption of marketing strategies. While confidentiality and availability are not directly affected, the unauthorized modification of coupons can undermine trust in the e-learning platform and affect revenue streams. Organizations relying on Tutor LMS for course monetization or promotions are at risk of fraudulent coupon usage or denial of legitimate coupon benefits. This could also lead to administrative overhead to detect and remediate unauthorized changes. Since the vulnerability requires only low-level authenticated access, it broadens the scope of potential attackers to include any registered user, increasing the risk surface. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially if attackers develop exploits in the future.

1. Immediately restrict subscriber-level user permissions to the minimum necessary, especially limiting access to coupon management features. 2. Monitor and audit coupon-related activities within Tutor LMS to detect unusual deletions or modifications. 3. If possible, temporarily disable coupon functionalities or bulk actions until a patch is released. 4. Contact the vendor (themeum) for updates or patches addressing this vulnerability and apply them promptly once available. 5. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting coupon management endpoints. 6. Educate administrators to regularly review user roles and permissions to prevent privilege escalation or misuse. 7. Consider deploying additional authentication controls or multi-factor authentication to reduce the risk of compromised accounts being used to exploit this vulnerability.