CVE-2025-11564

Name of the Vulnerable Software and Affected Versions Tutor LMS versions up to and including 3.8.3

Description The Tutor LMS plugin for WordPress is susceptible to unauthorized data modification. This occurs because of a missing capability check when verifying webhook signatures within the verifyAndCreateOrderData() function. This allows unauthenticated attackers to circumvent payment verification and falsely mark orders as paid by sending crafted webhook requests with the payment type parameter set to 'recurring'.

Recommendations Update Tutor LMS to a version newer than 3.8.3.