Primary

Context

Tutor LMS Missing Capability Check Vulnerability in Webhook Payment Verification

Vulnerability

Patched

A vulnerability exists in the Tutor LMS WordPress plugin, specifically in versions through 3.8.3. The issue arises from a lack of proper capability checks in the 'verifyAndCreateOrderData' function, which handles webhook signature verification. This flaw allows unauthenticated attackers to bypass payment verification processes and falsely mark orders as paid by sending fake webhook requests with the 'payment_type' designated as 'recurring'.

Impact

Exploitation of this vulnerability allows for unauthorized modification of order payment statuses, potentially leading to financial discrepancies or fraud.

Remediation

Users are advised to update the Tutor LMS plugin to version 3.9.0 or a newer patched version.

Added: Oct 25, 2025, 6:28 AM

Updated: Oct 25, 2025, 6:28 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

7.1

remediation

7.7

relevance

0.8

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

7.1

remediation

7.7

relevance

0.8

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tutor LMS Missing Capability Check Vulnerability in Webhook Payment Verification

Vulnerability

Impact

Remediation

Affected Products

Tutor LMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating