CVE-2025-13934: CWE-862 Missing Authorization in themeum Tutor LMS – eLearning and online course solution
CVE-2025-13934 is a medium severity vulnerability in the Tutor LMS WordPress plugin that allows authenticated users with subscriber-level access or higher to enroll themselves in any course without proper authorization or purchase validation. The flaw stems from missing capability checks and purchasability validation in the AJAX handler responsible for course enrollment. Exploitation requires authentication but no user interaction beyond login. While it does not impact confidentiality or availability, it undermines the integrity of course enrollment processes, potentially causing financial loss and unauthorized access to paid content. No known exploits are currently reported in the wild. European organizations using Tutor LMS versions up to 3. 9. 3 should prioritize patching or applying compensating controls to prevent unauthorized course access. Countries with high WordPress adoption and significant e-learning sectors, such as Germany, France, and the UK, are most likely to be affected.
AI Analysis
Technical Summary
The vulnerability identified as CVE-2025-13934 affects the Tutor LMS plugin for WordPress, widely used for e-learning and online course management. The root cause is a missing authorization check (CWE-862) in the `course_enrollment()` AJAX handler, which fails to verify whether the authenticated user has the necessary permissions or has completed the purchase process before enrolling in a course. This flaw allows any authenticated user with at least subscriber-level privileges to bypass payment and enrollment restrictions, granting unauthorized access to paid courses. The vulnerability affects all versions up to and including 3.9.3. The CVSS 3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based, requires low attack complexity, and privileges at the subscriber level, but does not require user interaction. The impact is primarily on integrity, as unauthorized users can manipulate enrollment status, potentially leading to revenue loss for course providers and undermining trust in the LMS platform. No known exploits have been reported in the wild, but the vulnerability is publicly disclosed and should be addressed promptly. The lack of a patch link suggests that a fix may not yet be available, increasing the urgency for mitigation.
Potential Impact
For European organizations, especially educational institutions, training providers, and enterprises relying on Tutor LMS for internal or external training, this vulnerability can lead to unauthorized access to paid or restricted courses. This undermines revenue models based on course purchases and may expose proprietary or sensitive training content to unauthorized users. While confidentiality and availability are not directly impacted, the integrity of course enrollment data is compromised, potentially affecting compliance with contractual or regulatory obligations related to content access. The financial impact could be significant for organizations monetizing courses. Additionally, unauthorized users gaining access to restricted training materials may lead to competitive disadvantages or intellectual property exposure. The medium severity rating indicates a moderate risk but one that should not be ignored, especially in sectors where e-learning is critical.
Mitigation Recommendations
Organizations should immediately audit their Tutor LMS installations to identify affected versions (up to 3.9.3). Until an official patch is released, administrators should implement compensating controls such as restricting subscriber-level user creation, enforcing stricter user role management, and monitoring enrollment logs for suspicious activity. Custom code or plugins could be developed to add capability checks on the `course_enrollment()` AJAX endpoint, validating user permissions and purchase status before allowing enrollment. Additionally, organizations should consider temporarily disabling self-enrollment features or limiting enrollment capabilities to trusted roles only. Regularly updating WordPress and plugins, applying security hardening best practices, and monitoring for unusual access patterns will help reduce risk. Once a patch is available, prompt application is critical. Communication with users about the vulnerability and any temporary changes to enrollment processes is also advisable.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain
CVE-2025-13934: CWE-862 Missing Authorization in themeum Tutor LMS – eLearning and online course solution
Description
CVE-2025-13934 is a medium severity vulnerability in the Tutor LMS WordPress plugin that allows authenticated users with subscriber-level access or higher to enroll themselves in any course without proper authorization or purchase validation. The flaw stems from missing capability checks and purchasability validation in the AJAX handler responsible for course enrollment. Exploitation requires authentication but no user interaction beyond login. While it does not impact confidentiality or availability, it undermines the integrity of course enrollment processes, potentially causing financial loss and unauthorized access to paid content. No known exploits are currently reported in the wild. European organizations using Tutor LMS versions up to 3. 9. 3 should prioritize patching or applying compensating controls to prevent unauthorized course access. Countries with high WordPress adoption and significant e-learning sectors, such as Germany, France, and the UK, are most likely to be affected.
AI-Powered Analysis
Technical Analysis
The vulnerability identified as CVE-2025-13934 affects the Tutor LMS plugin for WordPress, widely used for e-learning and online course management. The root cause is a missing authorization check (CWE-862) in the `course_enrollment()` AJAX handler, which fails to verify whether the authenticated user has the necessary permissions or has completed the purchase process before enrolling in a course. This flaw allows any authenticated user with at least subscriber-level privileges to bypass payment and enrollment restrictions, granting unauthorized access to paid courses. The vulnerability affects all versions up to and including 3.9.3. The CVSS 3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based, requires low attack complexity, and privileges at the subscriber level, but does not require user interaction. The impact is primarily on integrity, as unauthorized users can manipulate enrollment status, potentially leading to revenue loss for course providers and undermining trust in the LMS platform. No known exploits have been reported in the wild, but the vulnerability is publicly disclosed and should be addressed promptly. The lack of a patch link suggests that a fix may not yet be available, increasing the urgency for mitigation.
Potential Impact
For European organizations, especially educational institutions, training providers, and enterprises relying on Tutor LMS for internal or external training, this vulnerability can lead to unauthorized access to paid or restricted courses. This undermines revenue models based on course purchases and may expose proprietary or sensitive training content to unauthorized users. While confidentiality and availability are not directly impacted, the integrity of course enrollment data is compromised, potentially affecting compliance with contractual or regulatory obligations related to content access. The financial impact could be significant for organizations monetizing courses. Additionally, unauthorized users gaining access to restricted training materials may lead to competitive disadvantages or intellectual property exposure. The medium severity rating indicates a moderate risk but one that should not be ignored, especially in sectors where e-learning is critical.
Mitigation Recommendations
Organizations should immediately audit their Tutor LMS installations to identify affected versions (up to 3.9.3). Until an official patch is released, administrators should implement compensating controls such as restricting subscriber-level user creation, enforcing stricter user role management, and monitoring enrollment logs for suspicious activity. Custom code or plugins could be developed to add capability checks on the `course_enrollment()` AJAX endpoint, validating user permissions and purchase status before allowing enrollment. Additionally, organizations should consider temporarily disabling self-enrollment features or limiting enrollment capabilities to trusted roles only. Regularly updating WordPress and plugins, applying security hardening best practices, and monitoring for unusual access patterns will help reduce risk. Once a patch is available, prompt application is critical. Communication with users about the vulnerability and any temporary changes to enrollment processes is also advisable.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-02T22:22:20.669Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6960b130ecefc3cd7c0f7cfb
Added to database: 1/9/2026, 7:41:36 AM
Last enriched: 1/16/2026, 9:58:07 AM
Last updated: 2/7/2026, 2:29:37 PM
Views: 54
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2087: SQL Injection in SourceCodester Online Class Record System
MediumCVE-2026-2086: Buffer Overflow in UTT HiPER 810G
HighOrganizations Urged to Replace Discontinued Edge Devices
MediumCVE-2026-2085: Command Injection in D-Link DWR-M921
HighCVE-2026-2084: OS Command Injection in D-Link DIR-823X
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.