– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-13628:
This vulnerability is an authenticated missing authorization flaw in the Tutor LMS WordPress plugin. It allows authenticated attackers with subscriber-level permissions or higher to perform unauthorized bulk actions and permanent deletions on arbitrary coupons. The vulnerability affects the plugin’s ecommerce coupon management functionality, with a CVSS score of 4.3.

The root cause lies in the CouponController.php file, specifically in the bulk_action_handler() and coupon_permanent_delete() functions. Both functions performed a nonce check via tutor_utils()->checking_nonce() but lacked proper capability verification. The vulnerable code only checked if the current user had the ‘manage_options’ capability, which is typically reserved for administrators. This insufficient check allowed any authenticated user to pass the nonce verification and execute privileged coupon operations. The functions are accessible via WordPress AJAX endpoints.

Exploitation requires an authenticated attacker with any WordPress user role, including the lowest-privilege subscriber role. The attacker sends a POST request to /wp-admin/admin-ajax.php with the ‘action’ parameter set to either ‘tutor_coupon_bulk_action’ (for bulk_action_handler) or ‘tutor_coupon_permanent_delete’ (for coupon_permanent_delete). The bulk action request includes parameters like ‘bulk_action’ (delete, activate, deactivate, or trash) and ‘bulk_ids’ (an array of coupon IDs). The permanent delete request requires only the ‘id’ parameter containing a single coupon ID. Both requests must include a valid WordPress nonce, which subscribers can obtain from their own dashboard.

The patch replaces the insufficient ‘manage_options’ capability check with a call to tutor_utils()->check_current_user_capability(). This function appears to implement proper role-based authorization for coupon management operations. The patch also includes security improvements in other files, such as adding enrollment checks in Course.php, instructor verification in Quiz.php, and SQL escaping in CouponModel.php. These changes collectively restrict coupon operations to authorized users only.

Successful exploitation allows attackers to delete, activate, deactivate, or trash any coupon in the system. This can disrupt ecommerce operations by removing discount codes, altering pricing structures, or enabling unauthorized discounts. While the vulnerability doesn’t directly lead to privilege escalation or remote code execution, it enables unauthorized data modification with potential financial impact on course sales and revenue.