Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check while verifying webhook signatures on the "verifyAndCreateOrderData" function
in all versions up to, and including, 3.8.3. This makes it possible for unauthenticated attackers to bypass payment verification and mark orders as paid by submitting forged webhook requests with `payment_type` set to 'recurring'.
Published: 2025-10-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Payment Status Update
Action: Apply Patch
AI Analysis

Impact

The Tutor LMS plugin for WordPress contains a missing capability check during webhook signature verification. This flaw allows an unauthenticated user to forge a payment webhook request with the field payment_type set to 'recurring', causing the plugin to mark the order as paid without validating the caller. The attacker can thus create false payment records, potentially gaining access to paid content and generating fraudulent revenue entries.

Affected Systems

The vulnerability affects the Tutor LMS – eLearning and online course solution plugin published by themeum. All releases up to and including version 3.8.3 are susceptible. No version information beyond this range is provided, so any installation of 3.8.3 or earlier is considered at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk. The EPSS score of less than 1% suggests a low probability of real‑world exploitation at the time of this analysis. The flaw is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated HTTP POST to the payment gateway webhook endpoint, with a forged payload that bypasses signature validation. Because no authentication is required, an attacker with internet access could submit the malicious request directly to the vulnerable site.

Generated by OpenCVE AI on April 27, 2026 at 23:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tutor LMS to the latest release that includes the missing capability check, such as version 3.8.4 or later.
  • Restrict the payment gateway webhook endpoint to trusted IP addresses or require an additional authentication header so that only legitimate webhook senders can reach it.
  • Require a secret authentication token or valid HMAC signature in the webhook request before updating any order status to prevent unauthenticated requests.

Generated by OpenCVE AI on April 27, 2026 at 23:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Dec 2025 00:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:themeum:tutor_lms:*:*:*:*:free:wordpress:*:*

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Themeum
Themeum tutor Lms
Wordpress
Wordpress wordpress
Vendors & Products Themeum
Themeum tutor Lms
Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 25 Oct 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check while verifying webhook signatures on the "verifyAndCreateOrderData" function in all versions up to, and including, 3.8.3. This makes it possible for unauthenticated attackers to bypass payment verification and mark orders as paid by submitting forged webhook requests with `payment_type` set to 'recurring'.
Title Tutor LMS – eLearning and online course solution <= 3.8.3 - Missing Authorization to Unauthenticated Payment Status Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Themeum Tutor Lms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:42:37.294Z

Reserved: 2025-10-09T14:26:27.293Z

Link: CVE-2025-11564

cve-icon Vulnrichment

Updated: 2025-10-27T15:48:58.374Z

cve-icon NVD

Status : Analyzed

Published: 2025-10-25T06:15:35.307

Modified: 2025-12-05T00:26:48.090

Link: CVE-2025-11564

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T23:45:15Z

Weaknesses