CVE-2025-6639 is an insecure direct object reference (IDOR) vulnerability classified under CWE-285 (Improper Authorization) in the Tutor LMS Pro plugin for WordPress, a popular eLearning and online course management solution. The vulnerability exists in all versions up to and including 3.8.3 due to insufficient validation of a user-controlled key parameter within the tutor_assignment_submit() function. This function handles viewing and editing of assignment submissions. Because the plugin fails to properly verify whether the authenticated user has the right to access or modify a given assignment submission, attackers with Subscriber-level privileges or higher can manipulate the key parameter to access or alter other students' submissions. The flaw requires authentication but no further user interaction, and it can be exploited remotely via network access to the WordPress site. The CVSS v3.1 base score is 5.4 (medium severity), reflecting low attack complexity, low privileges required, no user interaction, and limited impact on confidentiality and integrity but no impact on availability. No patches or known exploits are currently available, but the vulnerability could lead to unauthorized disclosure and modification of sensitive academic data, undermining trust in the eLearning platform. The issue highlights the importance of robust access control checks in multi-user educational environments.

For European organizations, especially educational institutions and eLearning providers using Tutor LMS Pro, this vulnerability threatens the confidentiality and integrity of student assignment data. Unauthorized users could view sensitive academic submissions, potentially leading to privacy violations under GDPR and other data protection regulations. The ability to modify assignments could also undermine academic integrity, enabling cheating or falsification of records. This could damage institutional reputation and lead to regulatory penalties. Since the vulnerability requires only Subscriber-level access, it increases the risk from insider threats or compromised low-privilege accounts. The impact is particularly significant for large universities and online course providers with many users, where exploitation could affect numerous students. Although availability is not impacted, the breach of data confidentiality and integrity is critical in educational contexts.

European organizations should immediately audit their Tutor LMS Pro plugin versions and upgrade to a patched release once available from the vendor. Until a patch is released, administrators should restrict Subscriber-level user capabilities to the minimum necessary, potentially disabling assignment submission features for low-privilege users. Implementing web application firewalls (WAFs) with rules to detect and block suspicious parameter tampering targeting tutor_assignment_submit() can provide temporary protection. Monitoring logs for unusual access patterns to assignment submissions is recommended to detect exploitation attempts. Additionally, organizations should review and enforce strict role-based access controls within WordPress and Tutor LMS Pro. Educating users about the risk of credential compromise and enforcing strong authentication mechanisms (e.g., MFA) will reduce the likelihood of unauthorized access. Finally, organizations should prepare incident response plans specific to eLearning data breaches.