CVE-2025-13679

Name of the Vulnerable Software and Affected Versions Tutor LMS versions up to and including 3.9.3

Description The Tutor LMS plugin for WordPress is susceptible to unauthorized data access due to a missing capability check within the get order by id() function. This allows authenticated attackers with Subscriber-level access or higher to enumerate order IDs and extract sensitive Personally Identifiable Information (PII). This PII includes student names, email addresses, phone numbers, and billing addresses.

Recommendations Versions prior to 3.9.4 should be updated.