The vulnerability identified as CVE-2025-13679 affects the Tutor LMS plugin for WordPress, a popular eLearning and online course management solution. The root cause is a missing authorization check in the get_order_by_id() function, which fails to verify whether the authenticated user has the necessary permissions to access order data. This flaw allows any authenticated user with at least Subscriber-level privileges to enumerate order IDs and retrieve sensitive personal information related to students, including names, email addresses, phone numbers, and billing addresses. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The affected versions include all releases up to and including 3.9.3. The CVSS v3.1 base score is 6.5, indicating medium severity, with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, meaning it is remotely exploitable with low complexity, requires low privileges, no user interaction, unchanged scope, and results in high confidentiality impact but no integrity or availability impact. No public exploits have been reported yet, but the exposure of PII could lead to privacy violations and regulatory compliance issues. The vulnerability is classified under CWE-862 (Missing Authorization).

The primary impact of this vulnerability is the unauthorized disclosure of sensitive personally identifiable information (PII) of students using the Tutor LMS platform. This can lead to privacy breaches, identity theft, phishing attacks, and reputational damage to affected organizations. Educational institutions and eLearning providers relying on Tutor LMS may face regulatory penalties under data protection laws such as GDPR or CCPA if they fail to protect student data adequately. Although the vulnerability does not affect data integrity or system availability, the confidentiality breach alone is significant. Attackers with Subscriber-level access, which is a low privilege level, can exploit this flaw, increasing the risk of insider threats or compromised accounts being leveraged. The vulnerability's network exploitability means attackers can perform attacks remotely without additional user interaction, broadening the attack surface. Organizations worldwide using this plugin are at risk of data exfiltration and subsequent misuse of exposed information.

To mitigate this vulnerability, organizations should immediately upgrade the Tutor LMS plugin to a version where the authorization check in get_order_by_id() is properly implemented once available. Until a patch is released, administrators should restrict Subscriber-level user capabilities to the minimum necessary and monitor for unusual access patterns to order data. Implementing Web Application Firewall (WAF) rules to detect and block suspicious enumeration attempts targeting order IDs can reduce exposure. Additionally, enforcing strong authentication mechanisms and monitoring user account activities can help detect compromised accounts. Organizations should review and audit user roles and permissions within WordPress to ensure no unnecessary privileges are granted. Regularly backing up data and maintaining an incident response plan for data breaches involving PII is also recommended. Finally, informing users about potential risks and encouraging vigilance against phishing attempts can reduce the impact of any data leakage.