CVE-2025-6680 is an improper access control vulnerability (CWE-284) found in the Tutor LMS plugin for WordPress, a widely used eLearning and online course management solution. The flaw exists in all versions up to and including 3.8.3 and allows authenticated users with tutor-level privileges or higher to access assignment data for courses they do not teach. This unauthorized access results in sensitive information exposure, potentially including student submissions, grades, and feedback, which could violate privacy and data protection regulations. The vulnerability does not require user interaction and can be exploited remotely over the network, but it does require the attacker to have authenticated access with at least tutor-level permissions. The CVSS v3.1 base score is 4.3 (medium severity), reflecting low impact on confidentiality (limited to information disclosure), no impact on integrity or availability, low attack complexity, and no user interaction needed. No patches or exploits are currently publicly available, but the vulnerability is documented and published by Wordfence. The issue stems from insufficient access control checks within the plugin's code that fail to restrict tutors from viewing assignments outside their authorized courses. This can lead to breaches of confidentiality and potential compliance issues, especially under GDPR for European organizations handling personal data of students.

For European organizations, especially educational institutions and corporate training providers using Tutor LMS, this vulnerability poses a risk of unauthorized disclosure of sensitive student or employee data. Exposure of assignments and related information can lead to privacy violations, reputational damage, and potential legal consequences under GDPR and other data protection laws. While the vulnerability does not affect system integrity or availability, the confidentiality breach can undermine trust in the eLearning platform. Attackers with tutor-level access could harvest sensitive data across multiple courses, increasing the scope of exposure. This is particularly concerning for institutions with strict data segregation policies or those handling sensitive or proprietary educational content. The medium severity score indicates a moderate risk that should be addressed promptly to prevent data leakage and maintain compliance.

1. Immediately review and audit tutor-level user permissions to ensure only authorized personnel have such access. 2. Implement strict role-based access controls (RBAC) and limit tutor privileges to only the courses they manage. 3. Monitor access logs for unusual activity, such as tutors accessing assignments outside their courses. 4. Apply any official patches or updates from Themeum as soon as they become available. 5. If patches are not yet available, consider temporarily disabling tutor access or restricting the plugin's functionality via custom code or security plugins to enforce proper access controls. 6. Educate staff and tutors about the sensitivity of assignment data and the importance of adhering to access policies. 7. Conduct regular security assessments and penetration tests focusing on access control mechanisms within the LMS environment. 8. Ensure backups and incident response plans are in place in case of data exposure incidents.