{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6639", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-25T14:18:39.748Z", "datePublished": "2025-10-25T05:31:22.323Z", "dateUpdated": "2026-04-08T17:06:14.403Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:14.403Z"}, "affected": [{"vendor": "themeum", "product": "Tutor LMS Pro", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.8.3", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Tutor LMS Pro \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.3 due to missing validation on a user controlled key when viewing and editing assignments through the tutor_assignment_submit() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and edit assignment submissions of other students."}], "title": "Tutor LMS Pro \u2013 eLearning and online course solution <= 3.8.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to View/Edit Other Assignments", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8dc16ba4-3c2e-43e2-82a0-b742276b9640?source=cve"}, {"url": "https://wordpress.org/plugins/tutor/#developers"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-285 Improper Authorization", "cweId": "CWE-285", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Sergio Frami\u00f1\u00e1nn Garc\u00eda"}], "timeline": [{"time": "2025-08-01T19:12:11.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-24T17:30:42.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-27T15:58:02.319504Z", "id": "CVE-2025-6639", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:58:11.487Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6639", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-27T15:58:02.319504Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:58:06.778Z"}}], "cna": {"title": "Tutor LMS Pro \u2013 eLearning and online course solution <= 3.8.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to View/Edit Other Assignments", "credits": [{"lang": "en", "type": "finder", "value": "Sergio Frami\u00f1\u00e1nn Garc\u00eda"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "themeum", "product": "Tutor LMS Pro", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.8.3"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-01T19:12:11.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-24T17:30:42.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8dc16ba4-3c2e-43e2-82a0-b742276b9640?source=cve"}, {"url": "https://wordpress.org/plugins/tutor/#developers"}], "descriptions": [{"lang": "en", "value": "The Tutor LMS Pro \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.3 due to missing validation on a user controlled key when viewing and editing assignments through the tutor_assignment_submit() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and edit assignment submissions of other students."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285 Improper Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:06:14.403Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6639", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:06:14.403Z", "dateReserved": "2025-06-25T14:18:39.748Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-25T05:31:22.323Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Tutor LMS Pro \u2013 eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.8.3 due to missing validation on a user controlled key when viewing and editing assignments through the tutor_assignment_submit() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and edit assignment submissions of other students."}], "id": "CVE-2025-6639", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-25T06:15:36.330", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/tutor/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8dc16ba4-3c2e-43e2-82a0-b742276b9640?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:41:28.822940+00:00", "value": {"mitigation_remediation": ["Upgrade Tutor LMS Pro to a version newer than 3.8.3 where the IDOR issue has been addressed.", "If an upgrade is not feasible, limit the Subscriber role\u2019s capabilities to prevent access to assignment edit endpoints\u2014use a role\u2011management or permission\u2011control plugin to revoke those capabilities.", "As a temporary measure, deploy a web\u2011application firewall rule or rewrite the endpoint URL to restrict the tutor_assignment_submit() route to only users with a Teacher or higher role."], "summary": {"action": "Upgrade", "impact": "Unauthorized assignment access and potential data modification"}, "threat_synthesis": {"affected_systems": "WordPress sites using the themeum Tutor LMS Pro plugin with versions up to and including 3.8.3 are affected. Any site running these legacy versions that allows Subscriber users to submit assignments is vulnerable; the issue is tied directly to the assignment submission handling within the plugin.", "description_and_impact": "The Tutor LMS Pro plugin for WordPress suffers from an insecure direct object reference that allows authenticated users with a Subscriber role or higher to view and edit the assignment submissions of other students. This flaw stems from missing validation on a user\u2011controlled key within the tutor_assignment_submit() function, thereby exposing confidential student work and enabling tampering with another user\u2019s data. The vulnerability could be used to exfiltrate or alter sensitive coursework, compromising confidentiality and integrity of academic content.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a medium impact, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The flaw is not listed in CISA\u2019s KEV catalog. An attacker must first authenticate as a Subscriber or higher to exploit the vulnerability, typically through a browser session to the assignment submission endpoint. Because the weak credential validation occurs on the server side, the attack requires only normal web access and does not rely on privileged network exploitation."}}}}, "created": "2025-10-27T22:10:22.622588+00:00", "updated": "2026-04-22T00:45:04.161505+00:00", "vendors": ["themeum", "themeum$PRODUCT$tutor_lms", "wordpress", "wordpress$PRODUCT$wordpress"]}