– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-13935:
This vulnerability allows authenticated attackers with subscriber-level WordPress access to mark any Tutor LMS course as completed without proper enrollment verification. The flaw resides in the ‘mark_course_complete’ function within the Course.php file, enabling unauthorized course completion across all plugin versions up to 3.9.2. The CVSS 4.3 score reflects a medium-severity integrity impact affecting course completion tracking.

Atomic Edge research identified the root cause as missing enrollment verification in the ‘mark_course_complete’ function at line 2119 of tutor/classes/Course.php. The vulnerable function checked only for user authentication via ‘is_user_logged_in()’ but omitted validation of course enrollment status. Attackers could bypass the intended enrollment requirement by directly calling the function with arbitrary course IDs.

The exploitation method involves authenticated WordPress users sending a POST request to the WordPress AJAX endpoint with specific parameters. Attackers target /wp-admin/admin-ajax.php with the action parameter set to ‘tutor_mark_course_complete’ and include a ‘course_id’ parameter containing any valid course identifier. The attack requires only subscriber-level authentication and no enrollment in the targeted course.

The patch adds enrollment verification before allowing course completion. In tutor/classes/Course.php at line 2121, developers inserted ‘if ( ! tutor_utils()->is_enrolled( $course_id, $user_id ) )’ which calls the ‘is_enrolled’ utility function. This check ensures users must be enrolled in a course before marking it complete, terminating execution with an error message if enrollment verification fails.

Successful exploitation compromises course completion integrity across the learning management system. Attackers can falsely claim course completion certificates, manipulate progress tracking, and potentially bypass course prerequisites. This vulnerability undermines the educational platform’s credential verification system and could enable fraudulent certification claims.