Tutor LMS < 3.9.4 – Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via tutor_order_details | CVE 2025-13679 | Plugin Vulnerabilities

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address.

Affects Plugins

Fixed in 3.9.4

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0830d0c3-99c0-423e-99ab-f0c1cbec52d9

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Supakiad S. (m3ez)

Verified

No

WPVDB ID

fbc60ef3-f5db-4fe0-81ff-c6fbb8d225e8

Timeline

Publicly Published

2026-01-07 (about 4 months ago)

Added

2026-01-07 (about 4 months ago)

Last Updated

2026-01-08 (about 4 months ago)

Other

Published

Title

Published

2024-08-01

Title

WooCommerce PDF Vouchers < 4.9.5 - Missing Authorization

Published

2024-06-06

Title

Easy Forms for Mailchimp <= 6.9.0 - Missing Authorization

Published

2025-11-15

Title

Bookit < 2.5.1 – Unauthenticated Settings Update

Published

2024-02-14

Title

Peach Payments Gateway < 3.2.0 - Missing Authorization via peach_core_version_rollback()

Published

2025-07-16

Title

Hestia < 3.2.11 - Missing Authorization