CVE-2025-13628
Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon ModificationThe Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons.
We have discovered 7,927 live websites that are affected by CVE-2025-13628.
Affected Software
| Product | |
| Category | Learning Management System |
| Vulnerable Domains | 7,927 live websites (93% of Tutor LMS install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 118 versions ( 99% of all versions) |
Common Weakness Enumeration
CWE-862 Missing AuthorizationDetails
- Published - Jan 9, 2026
- Updated - Jan 9, 2026
Credits
- Supakiad S. (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-13628 United States | 2,223 websites |
 Germany | 627 websites |
 Cyprus | 452 websites |
 India | 385 websites |
 France | 356 websites |
 Poland | 354 websites |
 GB | 336 websites |
 Brazil | 297 websites |
 Italy | 222 websites |
 Spain | 194 websites |
Website Distribution by TLD
Number of websites using CVE-2025-13628| .com | 3,778 websites |
| .org | 488 websites |
| .pl | 270 websites |
| .com.br | 245 websites |
| .de | 172 websites |
| .net | 161 websites |
| .it | 146 websites |
| .co.uk | 133 websites |
| .fr | 116 websites |
| .nl | 102 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-13628
Top websites that are affected by CVE-2025-13628. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **********.com | United States | **,*** | |
| *****.com | France | ***,*** | |
| *****.co | Cyprus | ***,*** | |
| ****.nl |  Netherlands | ***,*** | |
| *****.es | Spain | ***,*** | |
| ****.me |  United Arab Emirates | ***,*** | |
| ***.gr |  Greece | ***,*** | |
| ********.com | Cyprus | ***,*** | |
| ***********.com | United States | ***,*** | |
| **********.ee |  Estonia | ***,*** |
FAQ
CVE-2025-13628 is Missing Authorization in Tutor LMS
A total of 7,927 websites have been identified as vulnerable to CVE-2025-13628, based on global website indexing conducted by WebTechSurvey.
The Tutor LMS is affected by the CVE-2025-13628 vulnerability.
Tutor LMS versions up to and including 3.9.3 are vulnerable to CVE-2025-13628.