CVE-2025-13934 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Tutor LMS plugin for WordPress, versions up to and including 3.9.3. Tutor LMS is a popular e-learning and online course management solution integrated into WordPress sites. The vulnerability exists due to the absence of proper capability checks and purchasability validation within the `course_enrollment()` AJAX handler. This handler processes requests to enroll users in courses. Because the plugin fails to verify whether the authenticated user has the right to enroll or has completed the purchase process, any authenticated user with subscriber-level access or higher can exploit this flaw to enroll themselves in any course without payment or approval. The attack vector requires network access (remote) and low attack complexity, as no additional user interaction is needed beyond authentication. The vulnerability impacts the integrity of course enrollment data, allowing unauthorized access to paid content, but does not affect confidentiality or availability directly. No known public exploits or active exploitation have been reported, but the flaw poses a risk to the business model of online education providers relying on Tutor LMS. The CVSS 3.1 base score is 4.3 (medium), reflecting the limited scope of impact and the requirement for authenticated access. The vulnerability was publicly disclosed in January 2026, with no official patches available at the time of reporting, necessitating interim mitigations.

The primary impact of CVE-2025-13934 is unauthorized course enrollment, which undermines the integrity of the e-learning platform by allowing users to bypass payment and access paid content freely. This can lead to significant financial losses for organizations relying on Tutor LMS for monetized courses. Additionally, unauthorized access may expose course materials intended only for paying customers, potentially violating licensing agreements or intellectual property protections. While confidentiality and availability are not directly affected, the erosion of trust in the platform's access controls can damage the reputation of educational institutions and course providers. The vulnerability could also facilitate further abuse if attackers use unauthorized enrollment to gain footholds for additional attacks within the WordPress environment. Organizations worldwide using Tutor LMS are at risk, especially those with large subscriber bases or high-value courses. The lack of known exploits in the wild suggests limited immediate threat, but the ease of exploitation and the widespread use of WordPress and Tutor LMS increase the potential for future attacks.

To mitigate CVE-2025-13934, organizations should first check for and apply any official patches or updates released by Themeum addressing this vulnerability. In the absence of patches, administrators should implement strict role-based access controls to limit subscriber-level permissions and monitor enrollment-related AJAX requests for anomalies. Disabling or restricting the `course_enrollment()` AJAX handler via custom code or security plugins can prevent unauthorized enrollment attempts. Additionally, integrating web application firewalls (WAFs) with rules to detect and block suspicious enrollment requests can provide a protective layer. Regularly auditing user enrollments and cross-referencing with payment records will help identify unauthorized access. Educating users and administrators about the risk and encouraging prompt reporting of suspicious activity is also recommended. Finally, consider isolating the LMS environment or using multi-factor authentication to reduce the risk of compromised accounts being used to exploit this vulnerability.