CVE-2025-6680 is an improper access control vulnerability (CWE-284) found in the Tutor LMS plugin for WordPress, a widely used eLearning and online course management solution. The flaw exists in all versions up to and including 3.8.3, allowing authenticated users with tutor-level privileges or higher to access assignment submissions for courses they do not teach. This unauthorized access can lead to sensitive information exposure, such as student submissions, grades, or personal data contained within assignments. The vulnerability does not require user interaction and can be exploited remotely over the network by any authenticated tutor-level user. The CVSS v3.1 base score is 4.3, reflecting a medium severity primarily due to the limited scope of privilege required and the confidentiality impact without affecting integrity or availability. No patches or official fixes have been published at the time of disclosure, and no known exploits have been observed in the wild. The issue stems from insufficient enforcement of access control checks within the plugin's assignment viewing functionality, allowing privilege escalation within the context of tutor roles. Given the popularity of WordPress and the Tutor LMS plugin in educational institutions and corporate training environments, this vulnerability poses a risk of unauthorized data disclosure.

The primary impact of CVE-2025-6680 is the exposure of sensitive student information and assignment data to unauthorized tutors within the same LMS environment. This can lead to privacy violations, potential academic dishonesty, and loss of trust in the eLearning platform. While the vulnerability does not allow modification or deletion of data, the confidentiality breach can have legal and reputational consequences for educational institutions and organizations relying on Tutor LMS. Attackers with tutor-level access can harvest sensitive data across multiple courses, potentially affecting a large number of students. The impact is limited to environments where multiple tutors have access and where sensitive information is stored in assignments. Since exploitation requires authentication, external attackers without credentials are not directly at risk, but insider threats or compromised tutor accounts increase the risk. The vulnerability could also be leveraged as part of a broader attack chain to gather intelligence or facilitate social engineering.

Until an official patch is released, organizations should implement strict access controls by reviewing and minimizing tutor-level permissions to only those absolutely necessary. Consider segregating courses so tutors only have access to their assigned courses and monitor LMS logs for unusual access patterns to assignments outside of tutors' courses. Employ multi-factor authentication (MFA) for all tutor accounts to reduce the risk of credential compromise. Educate tutors and administrators about the risk of unauthorized data access and enforce policies to report suspicious activity. If possible, temporarily disable or restrict assignment viewing features for tutors until a fix is available. Keep the Tutor LMS plugin updated and apply security patches promptly once released. Additionally, consider deploying web application firewalls (WAFs) with custom rules to detect and block anomalous requests targeting assignment data. Conduct regular security audits of LMS configurations and user roles to ensure compliance with the principle of least privilege.