{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13628", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-24T21:38:45.491Z", "datePublished": "2026-01-09T07:22:10.781Z", "dateUpdated": "2026-04-08T16:49:55.422Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:49:55.422Z"}, "affected": [{"vendor": "themeum", "product": "Tutor LMS \u2013 eLearning and online course solution", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.9.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons."}], "title": "Tutor LMS \u2013 eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46f71f7b-7326-47b6-a23a-68a40f5bb56b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/ecommerce/CouponController.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "timeline": [{"time": "2025-11-15T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-11-24T21:55:21.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-08T19:03:12.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-09T19:06:39.210342Z", "id": "CVE-2025-13628", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T19:11:27.064Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13628", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-09T19:06:39.210342Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-09T19:11:23.937Z"}}], "cna": {"title": "Tutor LMS \u2013 eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon Modification", "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "themeum", "product": "Tutor LMS \u2013 eLearning and online course solution", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.9.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-15T00:00:00.000+00:00", "value": "Discovered"}, {"lang": "en", "time": "2025-11-24T21:55:21.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-08T19:03:12.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46f71f7b-7326-47b6-a23a-68a40f5bb56b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/ecommerce/CouponController.php"}], "descriptions": [{"lang": "en", "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-01-09T07:22:10.781Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13628", "state": "PUBLISHED", "dateUpdated": "2026-01-09T19:11:27.064Z", "dateReserved": "2025-11-24T21:38:45.491Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-09T07:22:10.781Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons."}, {"lang": "es", "value": "La soluci\u00f3n de eLearning y cursos en l\u00ednea Tutor LMS plugin para WordPress es vulnerable a la modificaci\u00f3n y eliminaci\u00f3n no autorizadas de datos debido a una verificaci\u00f3n de capacidad faltante en las funciones 'bulk_action_handler' y 'coupon_permanent_delete' en todas las versiones hasta la versi\u00f3n, e incluyendo, 3.9.3. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, eliminen, activen, desactiven o env\u00eden a la papelera cupones arbitrarios."}], "id": "CVE-2025-13628", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-09T08:15:56.660", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/ecommerce/CouponController.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46f71f7b-7326-47b6-a23a-68a40f5bb56b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T16:32:49.582652+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest version of Tutor LMS (3.9.4 or newer) to apply the missing capability checks.", "If an upgrade cannot be performed immediately, restrict subscriber\u2011level access to coupon management by using a firewall rule or plugin that blocks the bulk_action_handler and coupon_permanent_delete URLs for non\u2011admin users.", "Modify the plugin\u2019s functions or add a custom code snippet to enforce a capability check (for example, current_user_can('manage_woocommerce')) before performing coupon modifications."], "summary": {"action": "Patch plugin", "impact": "Coupon Tampering by Authenticated Subscriber"}, "threat_synthesis": {"affected_systems": "All installations of the Tutor LMS \u2013 eLearning and online course solution plugin from themeum that are running version 3.9.3 or earlier. The plugin is a WordPress extension and any site that includes it is vulnerable until an update is applied.", "description_and_impact": "The vulnerability lies in the absence of a capability check in the bulk_action_handler and coupon_permanent_delete functions of the Tutor LMS plugin. As a result, any authenticated user with subscriber level access or higher can delete, activate, deactivate, or trash arbitrary coupons. This represents a missing access control flaw (CWE\u2011862) that allows unauthorized modification of coupon data, potentially disrupting pricing structures and revenue streams.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate risk, but the EPSS score of less than 1% shows that the exploitation probability is currently very low. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to be authenticated with at least subscriber level access, meaning that anyone holding such an account on a vulnerable site could exploit the flaw. Because the flaw only allows coupon manipulation and does not grant code execution or privilege escalation, the impact is limited to the integrity of coupon data."}}}}, "created": "2026-01-09T13:23:24.037983+00:00", "updated": "2026-04-21T16:45:15.209917+00:00", "vendors": ["themeum", "themeum$PRODUCT$tutor_lms", "wordpress", "wordpress$PRODUCT$wordpress"]}