CVE-2025-6639

Name of the Vulnerable Software and Affected Versions Tutor LMS Pro versions prior to 3.8.4

Description The Tutor LMS Pro plugin for WordPress is susceptible to an Insecure Direct Object Reference issue. This is due to a lack of proper validation on a user-controlled key when handling assignment viewing and editing through the tutor assignment submit() function. Authenticated attackers with Subscriber-level access or higher can potentially view and modify assignment submissions belonging to other students.

Recommendations Update Tutor LMS Pro to version 3.8.4 or later.