CVE-2025-13934 is a missing authorization vulnerability (CWE-862) in the Tutor LMS plugin for WordPress, a widely used eLearning and online course management solution. The flaw exists in the `course_enrollment()` AJAX handler, which lacks proper capability checks and purchasability validation. This allows any authenticated user with subscriber-level privileges or higher to bypass the purchase flow and enroll themselves in any course. The vulnerability affects all versions up to 3.9.3 inclusive. The attack vector is remote and requires only low privileges (subscriber access), with no user interaction needed beyond authentication. The CVSS v3.1 base score is 4.3 (medium), reflecting the limited impact on confidentiality and availability but a clear integrity impact due to unauthorized course enrollment. There are no known exploits in the wild, and no patches have been officially released at the time of reporting. The vulnerability can lead to unauthorized access to paid course content, undermining revenue models and potentially exposing course materials to unauthorized users. Given the plugin’s popularity in WordPress-based eLearning platforms, this vulnerability poses a risk to educational institutions and commercial course providers using Tutor LMS.

For European organizations, especially educational institutions, training providers, and commercial eLearning platforms using Tutor LMS, this vulnerability can result in unauthorized course enrollments, leading to direct financial losses due to bypassed payments. It also risks the integrity of course content and user data by allowing unauthorized users access to restricted materials. This could undermine trust in the platform and damage reputations. Additionally, unauthorized access might facilitate further attacks if course content includes sensitive information or if attackers leverage access to escalate privileges. The impact is primarily on the integrity of enrollment processes and the business model of paid courses, with limited direct confidentiality or availability impact. However, the ease of exploitation by low-privilege authenticated users increases the risk of widespread abuse if left unmitigated.

1. Immediately restrict subscriber-level user permissions to prevent unauthorized access to enrollment functionalities until a patch is available. 2. Implement custom capability checks or filters in WordPress to enforce purchase validation before enrollment. 3. Monitor and audit course enrollment logs for unusual or unauthorized activity. 4. Disable or restrict AJAX endpoints related to course enrollment for low-privilege users if possible. 5. Engage with the vendor (Themeum) to obtain or request an official patch and apply it promptly once released. 6. Educate administrators and instructors about the vulnerability and encourage vigilance in monitoring course access. 7. Consider temporary alternative enrollment workflows that require manual approval to prevent automated abuse. 8. Keep WordPress core and all plugins updated to minimize exposure to related vulnerabilities.