CVE-2025-13935: CWE-862 Missing Authorization in themeum Tutor LMS – eLearning and online course solution
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. This makes it possible for authenticated attackers, with subscriber level access and above, to mark any course as completed.
AI Analysis
Technical Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress contains a missing authorization vulnerability (CWE-862) in the 'mark_course_complete' function. This flaw allows authenticated users with subscriber-level privileges or higher to bypass enrollment verification and mark any course as completed. The issue affects all versions up to and including 3.9.2. The CVSS 3.1 base score is 4.3 (medium severity), reflecting low complexity and limited impact on confidentiality and availability but with integrity impact due to unauthorized course completion. No known exploits are reported in the wild. No patch or remediation details are currently available.
Potential Impact
An authenticated attacker with subscriber-level access or higher can mark any course as completed without being enrolled. This impacts the integrity of course completion data but does not affect confidentiality or availability. There is no indication of further privilege escalation or system compromise from this vulnerability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider restricting subscriber-level permissions or monitoring course completion records for anomalies. Avoid relying solely on course completion status for critical decisions.
CVE-2025-13935: CWE-862 Missing Authorization in themeum Tutor LMS – eLearning and online course solution
Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. This makes it possible for authenticated attackers, with subscriber level access and above, to mark any course as completed.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Tutor LMS – eLearning and online course solution plugin for WordPress contains a missing authorization vulnerability (CWE-862) in the 'mark_course_complete' function. This flaw allows authenticated users with subscriber-level privileges or higher to bypass enrollment verification and mark any course as completed. The issue affects all versions up to and including 3.9.2. The CVSS 3.1 base score is 4.3 (medium severity), reflecting low complexity and limited impact on confidentiality and availability but with integrity impact due to unauthorized course completion. No known exploits are reported in the wild. No patch or remediation details are currently available.
Potential Impact
An authenticated attacker with subscriber-level access or higher can mark any course as completed without being enrolled. This impacts the integrity of course completion data but does not affect confidentiality or availability. There is no indication of further privilege escalation or system compromise from this vulnerability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider restricting subscriber-level permissions or monitoring course completion records for anomalies. Avoid relying solely on course completion status for critical decisions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-02T22:22:21.248Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6960b130ecefc3cd7c0f7cff
Added to database: 1/9/2026, 7:41:36 AM
Last enriched: 4/9/2026, 4:39:40 PM
Last updated: 5/9/2026, 8:46:12 PM
Views: 144
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.