CVE-2025-13679 is a vulnerability identified in the Tutor LMS plugin for WordPress, widely used for eLearning and online course management. The root cause is a missing authorization check in the get_order_by_id() function, which fails to verify whether the authenticated user has the necessary permissions to access order details. This flaw allows any authenticated user with at least Subscriber-level privileges to enumerate order IDs and retrieve sensitive personal information related to course orders, including student names, email addresses, phone numbers, and billing addresses. The vulnerability affects all versions up to and including 3.9.3. The attack vector is remote network access requiring authentication but no additional user interaction, making it relatively easy to exploit once credentials are obtained. The CVSS 3.1 base score is 6.5, indicating a medium severity primarily due to the high confidentiality impact but no impact on integrity or availability. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability falls under CWE-862 (Missing Authorization), highlighting a common security oversight in access control implementation. Organizations using Tutor LMS should be aware that attackers could leverage this flaw to harvest PII, potentially leading to privacy violations and regulatory non-compliance, especially under GDPR in Europe.

For European organizations, the unauthorized disclosure of PII through this vulnerability can lead to significant privacy breaches, regulatory penalties under GDPR, and reputational damage. Educational institutions and eLearning providers using Tutor LMS may expose sensitive student data, risking identity theft and phishing attacks. The breach of confidentiality could undermine trust in digital learning platforms and result in costly incident response and remediation efforts. Since the vulnerability requires only low-level authenticated access, insider threats or compromised subscriber accounts could be leveraged to exploit this flaw. Although the vulnerability does not affect system integrity or availability, the exposure of personal data alone is critical in the European context, where data protection laws impose strict requirements on handling and securing personal information.

Immediate mitigation should focus on restricting access to the Tutor LMS plugin and its order management features to trusted users only, minimizing the number of accounts with Subscriber-level or higher privileges. Organizations should implement strong authentication mechanisms, including multi-factor authentication, to reduce the risk of account compromise. Monitoring and logging access to order data can help detect suspicious enumeration attempts. Until an official patch is released, consider applying custom code fixes or access control filters to enforce capability checks on the get_order_by_id() function. Regularly update WordPress and all plugins to the latest versions and subscribe to vendor security advisories for timely patch deployment. Additionally, conduct security awareness training for administrators and users to recognize and report unusual activity. For organizations with compliance obligations, perform a data protection impact assessment and notify relevant supervisory authorities if a data breach occurs.