CVE-2025-13628

Name of the Vulnerable Software and Affected Versions Tutor LMS versions up to and including 3.9.3

Description The Tutor LMS plugin for WordPress is affected by a flaw that allows unauthorized modification and deletion of data. This is due to a missing capability check in the bulk action handler and coupon permanent delete functions. Authenticated attackers with subscriber-level access or higher can delete, activate, deactivate, or trash arbitrary coupons.

Recommendations Update Tutor LMS to a version newer than 3.9.3.