CVE-2025-13679 affects the Tutor LMS plugin for WordPress, a widely used eLearning and online course management solution. The vulnerability is due to a missing authorization check (CWE-862) in the get_order_by_id() function, which fails to verify whether the authenticated user has the necessary permissions to access order details. As a result, any authenticated user with Subscriber-level access or higher can enumerate order IDs and retrieve sensitive order information, including personally identifiable information (PII) such as student names, email addresses, phone numbers, and billing addresses. This unauthorized access occurs without requiring user interaction and can be exploited remotely over the network. The vulnerability affects all versions up to and including 3.9.3 of Tutor LMS. Although no patches are currently linked, the issue has been publicly disclosed and assigned a CVSS v3.1 score of 6.5, indicating a medium severity level. The flaw compromises confidentiality but does not affect data integrity or availability. Since the vulnerability requires only low-level authenticated access, it is particularly concerning in environments where user registration is open or poorly controlled. The lack of known exploits in the wild suggests limited active exploitation, but the potential for data leakage remains significant, especially for organizations handling sensitive student data.

For European organizations using Tutor LMS, this vulnerability can lead to unauthorized disclosure of sensitive student information, violating data protection regulations such as GDPR. Exposure of PII like names, emails, phone numbers, and billing addresses can result in privacy breaches, reputational damage, and potential legal penalties. Educational institutions and training providers relying on this plugin may face increased risk of data exfiltration by malicious insiders or compromised low-privilege accounts. The breach of confidentiality could also facilitate targeted phishing or social engineering attacks against affected individuals. Although the vulnerability does not impact system integrity or availability, the loss of sensitive data alone can have severe operational and compliance consequences. Organizations with open or self-registration portals are at higher risk, as attackers can easily create accounts with Subscriber-level access to exploit the flaw. The medium severity rating reflects the balance between ease of exploitation and the scope of impact, emphasizing the need for timely remediation to protect sensitive educational data.

European organizations should immediately audit their Tutor LMS installations to identify affected versions (up to 3.9.3) and restrict user registration to trusted individuals to limit potential attackers. Implementing strict role-based access controls and monitoring for unusual access patterns to order data can help detect exploitation attempts. Since no official patch links are currently available, organizations should consider applying custom authorization checks on the get_order_by_id() function to enforce capability verification before granting access. Additionally, disabling or restricting API endpoints that expose order information to low-privilege users can reduce attack surface. Regularly updating the plugin once a patch is released is critical. Organizations should also conduct user awareness training to mitigate risks from phishing attacks that could leverage leaked PII. Employing web application firewalls (WAFs) with rules to detect and block suspicious enumeration attempts can provide an additional layer of defense. Finally, ensure comprehensive logging and alerting on access to sensitive data to enable rapid incident response.