CVE-2025-6639: CWE-285 Improper Authorization in themeum Tutor LMS Pro
The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.3 due to missing validation on a user controlled key when viewing and editing assignments through the tutor_assignment_submit() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and edit assignment submissions of other students.
AI Analysis
Technical Summary
The Tutor LMS Pro plugin for WordPress suffers from an improper authorization vulnerability (CWE-285) identified as CVE-2025-6639. The issue arises from insufficient validation of a user-controlled key parameter in the tutor_assignment_submit() function, which handles viewing and editing of assignment submissions. This allows authenticated users with low privileges (Subscriber-level and above) to access and modify assignment submissions belonging to other students. The vulnerability affects all versions up to and including 3.8.3. The CVSS 3.1 base score is 5.4 (medium), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and limited confidentiality and integrity impact. There is no indication of known exploits in the wild or an available patch at this time.
Potential Impact
An attacker with authenticated Subscriber-level access or higher can view and modify assignment submissions of other students, potentially leading to unauthorized disclosure and alteration of academic data. The impact affects confidentiality and integrity but does not affect availability. This could undermine trust in the LMS platform's data integrity and privacy.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Subscriber-level access to trusted users only and monitor for suspicious activity related to assignment submissions. Avoid granting unnecessary permissions to users. Follow updates from the vendor for an official patch or mitigation.
CVE-2025-6639: CWE-285 Improper Authorization in themeum Tutor LMS Pro
Description
The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.3 due to missing validation on a user controlled key when viewing and editing assignments through the tutor_assignment_submit() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and edit assignment submissions of other students.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Tutor LMS Pro plugin for WordPress suffers from an improper authorization vulnerability (CWE-285) identified as CVE-2025-6639. The issue arises from insufficient validation of a user-controlled key parameter in the tutor_assignment_submit() function, which handles viewing and editing of assignment submissions. This allows authenticated users with low privileges (Subscriber-level and above) to access and modify assignment submissions belonging to other students. The vulnerability affects all versions up to and including 3.8.3. The CVSS 3.1 base score is 5.4 (medium), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and limited confidentiality and integrity impact. There is no indication of known exploits in the wild or an available patch at this time.
Potential Impact
An attacker with authenticated Subscriber-level access or higher can view and modify assignment submissions of other students, potentially leading to unauthorized disclosure and alteration of academic data. The impact affects confidentiality and integrity but does not affect availability. This could undermine trust in the LMS platform's data integrity and privacy.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Subscriber-level access to trusted users only and monitor for suspicious activity related to assignment submissions. Avoid granting unnecessary permissions to users. Follow updates from the vendor for an official patch or mitigation.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-06-25T14:18:39.748Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68fc626a07185a1a52fd762b
Added to database: 10/25/2025, 5:38:50 AM
Last enriched: 4/9/2026, 5:46:02 PM
Last updated: 5/10/2026, 7:57:38 AM
Views: 325
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.