CVE-2025-13628 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Tutor LMS plugin for WordPress, a widely used eLearning and online course management solution. The vulnerability arises because the plugin's 'bulk_action_handler' and 'coupon_permanent_delete' functions lack proper capability checks, allowing authenticated users with subscriber-level privileges or higher to perform unauthorized actions on coupon data. Specifically, attackers can delete, activate, deactivate, or trash arbitrary coupons without having the necessary permissions. This flaw compromises the integrity of the coupon system, which could lead to unauthorized discount manipulation, financial loss, or disruption of course enrollment processes. The vulnerability affects all versions up to and including 3.9.3. The CVSS v3.1 base score is 4.3, indicating a medium severity level, with an attack vector of network, low attack complexity, requiring privileges (authenticated users), no user interaction, and unchanged scope. There are no known exploits in the wild as of the publication date, and no patches have been linked yet. The vulnerability is particularly concerning in environments where subscriber-level users are numerous and trusted, as it allows them to escalate their impact on the system without further privilege escalation. The missing authorization checks represent a common security oversight in plugin development, emphasizing the need for rigorous access control validation in WordPress plugins managing sensitive data.

For European organizations using Tutor LMS, this vulnerability can lead to unauthorized manipulation or deletion of coupon data, undermining the integrity of promotional and enrollment mechanisms. This could result in financial losses due to unauthorized discounts or the inability to properly manage course access. Educational institutions and training providers relying on Tutor LMS may face operational disruptions and reputational damage if attackers exploit this flaw to tamper with course offerings. Since the vulnerability requires only subscriber-level authentication, insider threats or compromised low-privilege accounts pose a significant risk. The impact on confidentiality and availability is minimal, but the integrity impact is notable. Organizations with large user bases and multiple subscriber accounts are at higher risk. Additionally, the lack of patches means that until updates are released and applied, the risk remains persistent. The vulnerability could also be leveraged as part of a broader attack chain to undermine trust in eLearning platforms, which are increasingly critical in European education and corporate training sectors.

1. Immediately restrict subscriber-level user capabilities to the minimum necessary, removing any permissions related to coupon management if possible. 2. Monitor and audit user actions related to coupon creation, modification, and deletion to detect suspicious activity. 3. Implement additional access control layers via WordPress security plugins or custom code to enforce capability checks on coupon-related actions. 4. Segregate user roles and limit the number of users with elevated privileges to reduce the attack surface. 5. Regularly back up coupon and course data to enable recovery in case of unauthorized modifications. 6. Stay alert for official patches or updates from Themeum and apply them promptly once available. 7. Consider deploying a Web Application Firewall (WAF) with rules tailored to detect and block unauthorized coupon manipulation attempts. 8. Educate administrators and users about the risks of privilege misuse and enforce strong authentication mechanisms to prevent account compromise. 9. Conduct a thorough review of all customizations or third-party plugins that interact with Tutor LMS coupons to ensure they do not exacerbate the vulnerability.