WordPress Plugin Vulnerabilities

Tutor LMS – eLearning and online course solution < 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Course Enrollment Bypass

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX handler. This makes it possible for authenticated attackers, with subscriber level access and above, to enroll themselves in any course without going through the proper purchase flow.

Affects Plugins

Plugin icon
tutor
Fixed in 3.9.4

References

CVE
CVE-2025-13934
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5de212c9-5c2e-4713-b1ce-022dd84520c3

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Supakiad S. (m3ez)
Verified
No
WPVDB ID
d9ea4be1-21fb-48f8-9d86-d08f2d1b2ce1

Timeline

Publicly Published
2026-01-08 (about 4 months ago)
Added
2026-01-08 (about 4 months ago)
Last Updated
2026-01-09 (about 4 months ago)

Other

Published
Title
Published
2025-02-28
Title
BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages < 3.4.26 - Cross-Site Request Forgery to Limited Settings Update
Published
2026-02-09
Title
WCFM - WooCommerce Frontend Manager < 6.7.25 - Authenticated (Shop Manager+) Arbitrary Options Update
Published
2025-10-29
Title
Translate WordPress and go Multilingual – Weglot < 5.2 - Missing Authorization to Unauthenticated Limited Transient Deletion
Published
2024-02-02
Title
WP Dummy Content Generator < 3.1.3 - Missing Authorization
Published
2025-07-07
Title
LoginWP - Pro < 4.0.8.6 - Missing Authorization