CVE-2025-6639 is an improper authorization vulnerability (CWE-285) identified in the Tutor LMS Pro plugin for WordPress, a widely used eLearning and online course management solution. The vulnerability exists in all versions up to and including 3.8.3 due to insufficient validation of a user-controlled key parameter in the tutor_assignment_submit() function. This function handles viewing and editing of assignment submissions. Because the plugin fails to properly verify whether the authenticated user has the right to access or modify a particular assignment submission, attackers with as little as Subscriber-level privileges can access or alter other students' submissions. This represents an Insecure Direct Object Reference (IDOR) flaw, allowing unauthorized data access and modification. The vulnerability is remotely exploitable without user interaction, requiring only authenticated access. The CVSS 3.1 base score is 5.4, indicating medium severity, with network attack vector, low attack complexity, and privileges required at the low level. The impact affects confidentiality and integrity but not availability. No patches were linked at the time of disclosure, and no known exploits are reported in the wild. This vulnerability poses a significant risk to the privacy and academic integrity of eLearning platforms using Tutor LMS Pro, especially in environments where multiple users have Subscriber or higher roles.

For European organizations, particularly educational institutions and eLearning providers using WordPress with Tutor LMS Pro, this vulnerability can lead to unauthorized disclosure and modification of student assignment data. This compromises student privacy and academic integrity, potentially violating GDPR requirements on data protection and confidentiality. Attackers with minimal privileges can escalate their access to sensitive academic records, undermining trust in the platform. The impact is heightened in large universities and training providers that rely heavily on online course management. Additionally, reputational damage and potential regulatory penalties could arise from data breaches. Since the vulnerability does not affect availability, operational disruption is limited, but the breach of confidentiality and integrity is significant. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially as the vulnerability is straightforward to exploit once discovered.

Organizations should monitor for official patches from Themeum and apply them promptly once released. Until patches are available, administrators should restrict Subscriber-level and other low-privilege user roles from accessing assignment submission functionalities, possibly by customizing role capabilities or using additional access control plugins. Implementing web application firewalls (WAFs) with rules to detect and block suspicious requests targeting the tutor_assignment_submit() function can help mitigate exploitation attempts. Regularly audit user roles and permissions to ensure minimal privilege principles are enforced. Logging and monitoring access to assignment submissions should be enhanced to detect unauthorized access patterns. Educating users and administrators about the risk and encouraging prompt reporting of suspicious behavior is also recommended. Finally, consider isolating sensitive academic data or using alternative LMS solutions if immediate patching is not feasible.