Tutor LMS – eLearning and online course solution < 3.9.0 – Missing Authorization to Unauthenticated Payment Status Update | CVE 2025-11564 | Plugin Vulnerabilities

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check while verifying webhook signatures on the "verifyAndCreateOrderData" function
in all versions up to, and including, 3.8.3. This makes it possible for unauthenticated attackers to bypass payment verification and mark orders as paid by submitting forged webhook requests with `payment_type` set to 'recurring'.

Affects Plugins

Fixed in 3.9.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/26289a93-063b-469a-9d09-c286d76fce0c

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Rafshanzani Suhada

Verified

No

WPVDB ID

47c9b7b6-bd6a-4bfe-8d25-75e8ee1b06a3

Timeline

Publicly Published

2025-10-24 (about 6 months ago)

Added

2025-10-24 (about 6 months ago)

Last Updated

2025-10-25 (about 6 months ago)

Other

Published

Title

Published

2025-03-04

Title

Zass - WooCommerce Theme for Handmade Artists and Artisans <= 3.9.9.10 - Missing Authorization to Authenticated (Subscriber+) Demo Import

Published

2024-09-30

Title

Spice Starter Sites <= 1.2.5 - Missing Authorization to Unauthenticated Demo Content Import

Published

2025-04-17

Title

JetBlocks For Elementor < 1.3.16.1 - Missing Authorization

Published

2023-09-27

Title

Schema App Structured Data < 1.22.4 - Missing Authorization via page_init

Published

2023-10-12

Title

Nexter < 2.0.4 - Missing Authorization