Medium severity6.5NVD Advisory· Published Jan 8, 2026· Updated Apr 15, 2026
CVE-2025-13679
CVE-2025-13679
Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=3.9.3
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.