{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13679", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-25T18:50:29.670Z", "datePublished": "2026-01-08T07:04:12.744Z", "dateUpdated": "2026-04-08T16:34:11.809Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:11.809Z"}, "affected": [{"vendor": "themeum", "product": "Tutor LMS \u2013 eLearning and online course solution", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.9.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address."}], "title": "Tutor LMS <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via tutor_order_details", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0830d0c3-99c0-423e-99ab-f0c1cbec52d9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3422766/tutor/tags/3.9.4/ecommerce/OrderController.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "timeline": [{"time": "2025-11-25T19:20:25.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-07T18:46:16.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T15:04:02.747945Z", "id": "CVE-2025-13679", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T15:04:10.378Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13679", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T15:04:02.747945Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T15:04:07.051Z"}}], "cna": {"title": "Tutor LMS <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via tutor_order_details", "credits": [{"lang": "en", "type": "finder", "value": "Supakiad S."}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "themeum", "product": "Tutor LMS \u2013 eLearning and online course solution", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.9.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-25T19:20:25.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-07T18:46:16.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0830d0c3-99c0-423e-99ab-f0c1cbec52d9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3422766/tutor/tags/3.9.4/ecommerce/OrderController.php"}], "descriptions": [{"lang": "en", "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:11.809Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13679", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:34:11.809Z", "dateReserved": "2025-11-25T18:50:29.670Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-08T07:04:12.744Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address."}, {"lang": "es", "value": "El plugin de soluci\u00f3n de eLearning y cursos en l\u00ednea Tutor LMS para WordPress es vulnerable a acceso no autorizado a datos debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n get_order_by_id() en todas las versiones hasta la 3.9.3, inclusive. Esto permite a atacantes autenticados, con acceso de nivel Suscriptor y superior, enumerar IDs de pedidos y exfiltrar datos sensibles (PII), como el nombre del estudiante, direcci\u00f3n de correo electr\u00f3nico, n\u00famero de tel\u00e9fono y direcci\u00f3n de facturaci\u00f3n."}], "id": "CVE-2025-13679", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-08T07:15:48.403", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3422766/tutor/tags/3.9.4/ecommerce/OrderController.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0830d0c3-99c0-423e-99ab-f0c1cbec52d9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T15:46:49.323594+00:00", "value": {"mitigation_remediation": ["Upgrade the Tutor LMS plugin to version 3.9.4 or later, which resolves the missing authorization check on get_order_by_id()", "Revoke the view order capability from the Subscriber role so that authenticated users at this level cannot attempt to access order details", "If the upgrade cannot be performed immediately, audit and delete any exposed order data from compromised accounts and enforce stricter role management policies to mitigate immediate risk"], "summary": {"action": "Apply Patch", "impact": "Sensitive Information Exposure"}, "threat_synthesis": {"affected_systems": "The flaw exists in the Tutor LMS \u2013 eLearning and online course solution plugin for WordPress, affecting all installations of version 3.9.3 and earlier. Any WordPress site that has installed this plugin and provides Subscriber-level access is vulnerable.", "description_and_impact": "The vulnerability arises from a missing capability check in the Tutor LMS plugin\u2019s get_order_by_id() function. With any authenticated user who has a Subscriber role or higher, an attacker can enumerate order identifiers and retrieve personally identifiable information, including names, email addresses, phone numbers, and billing addresses. This directly leads to the unauthorized disclosure of sensitive user data. The weakness corresponds to the CWE-862 \"Missing Authorization Check.\"", "risk_and_exploitability": "The overall CVSS score of 6.5 indicates a moderate severity. The EPSS score is less than 1%, implying low current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only that the attacker possesses a valid account with Subscriber or higher role; no elevated privileges or additional conditions are necessary. Once authenticated, the attacker can enumerate and exfiltrate PII from order records."}}}}, "created": "2026-01-09T13:25:47.435769+00:00", "updated": "2026-04-22T16:00:12.088215+00:00", "vendors": ["themeum", "themeum$PRODUCT$tutor_lms", "wordpress", "wordpress$PRODUCT$wordpress"]}