CVE-2025-13679: CWE-862 Missing Authorization in themeum Tutor LMS – eLearning and online course solution
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address.
AI Analysis
Technical Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress contains a missing authorization vulnerability (CWE-862) in the get_order_by_id() function in all versions up to 3.9.3. This flaw allows authenticated users with low-level privileges (Subscriber and above) to enumerate order IDs and retrieve sensitive personally identifiable information (PII) including student names, email addresses, phone numbers, and billing addresses. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting a network attack vector with low complexity and requiring low privileges, resulting in high confidentiality impact but no integrity or availability impact. No known exploits are reported in the wild, and no patch or official fix has been documented.
Potential Impact
An attacker with at least Subscriber-level access can exploit this vulnerability to access sensitive personal data of students, including names, emails, phone numbers, and billing addresses. This exposure of PII can lead to privacy violations and potential misuse of personal data. The vulnerability does not affect system integrity or availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Subscriber-level access to trusted users only and monitor for suspicious activity involving order data access. Avoid granting unnecessary permissions to low-privilege users. Follow updates from the vendor for a security patch or official mitigation.
CVE-2025-13679: CWE-862 Missing Authorization in themeum Tutor LMS – eLearning and online course solution
Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Tutor LMS – eLearning and online course solution plugin for WordPress contains a missing authorization vulnerability (CWE-862) in the get_order_by_id() function in all versions up to 3.9.3. This flaw allows authenticated users with low-level privileges (Subscriber and above) to enumerate order IDs and retrieve sensitive personally identifiable information (PII) including student names, email addresses, phone numbers, and billing addresses. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting a network attack vector with low complexity and requiring low privileges, resulting in high confidentiality impact but no integrity or availability impact. No known exploits are reported in the wild, and no patch or official fix has been documented.
Potential Impact
An attacker with at least Subscriber-level access can exploit this vulnerability to access sensitive personal data of students, including names, emails, phone numbers, and billing addresses. This exposure of PII can lead to privacy violations and potential misuse of personal data. The vulnerability does not affect system integrity or availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Subscriber-level access to trusted users only and monitor for suspicious activity involving order data access. Avoid granting unnecessary permissions to low-privilege users. Follow updates from the vendor for a security patch or official mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-11-25T18:50:29.670Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 695f5aaec901b06321b263ae
Added to database: 1/8/2026, 7:20:14 AM
Last enriched: 4/9/2026, 9:08:31 PM
Last updated: 5/9/2026, 8:47:31 PM
Views: 149
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.