cleantalk
Vulnerabilities and Security Researches

Tutor LMS – eLearning and online course solution, CVE-2025-11564

CVE, Research URL

CVE-2025-11564

Home page URL

Security reports for Tutor LMS – eLearning and online course solution

Application

Tutor LMS – eLearning and online course solution

Published on
Oct 25, 2025
Research Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check while verifying webhook signatures on the "verifyAndCreateOrderData" function in all versions up to, and including, 3.8.3. This makes it possible for unauthenticated attackers to bypass payment verification and mark orders as paid by submitting forged webhook requests with `payment_type` set to 'recurring'.
Affected versions
max 3.9.0.
Status
vulnerable
Previous vulnerability researches
Finale Lite – Sales Countdown Timer & Discount for WooCommerce (CVE-2024-32107) , Jun 07, 2024
Finale Lite – Sales Countdown Timer & Discount for WooCommerce (562ea416d85a2049d70ab426e7463803d31cd817) , Jun 07, 2024
Finale Lite – Sales Countdown Timer & Discount for WooCommerce (CVE-2024-1120) , Jun 07, 2024
Finale Lite – Sales Countdown Timer & Discount for WooCommerce (CVE-2024-30485) , Jun 07, 2024
Finale Lite – Sales Countdown Timer & Discount for WooCommerce (CVE-2023-47180) , Jun 10, 2024
New vulnerability
Link Whisper Free (CVE-2025-62970) , Nov 10, 2025
AI ChatBot with ChatGPT and Content Generator by AYS (CVE-2025-62039) , Nov 10, 2025
Name: Print Button Shortcode (CVE-2025-11810) , Nov 10, 2025
Pagerank tools (CVE-2025-12416) , Nov 10, 2025
Advanced Database Cleaner (CVE-2025-11497) , Nov 10, 2025