Primary

Context

ATutor SQL Injection Vulnerability in Admin User Deletion Page

Vulnerability

A SQL injection vulnerability has been identified in ATutor version 2.2.4, specifically on the admin user deletion page. This vulnerability allows authenticated attackers to manipulate database queries by injecting malicious SQL code into the 'id' parameter of the admin_delete.php script. Exploitation of this vulnerability could lead to unauthorized extraction or modification of database information.

Impact

Exploitation of this vulnerability allows for SQL injection, enabling attackers to interfere with database queries. This could result in unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, log in as an admin user and navigate to the admin user deletion page. Inject a SQL payload into the 'id' parameter of the admin_delete.php script. The vulnerability can be exploited using SQLMap by specifying the injected 'id' parameter, along with the appropriate User-Agent and cookie information.

Added: Feb 7, 2026, 12:32 AM

Updated: Feb 7, 2026, 12:32 AM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

3.1

exploitability

6.1

remediation

0.0

relevance

2.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

3.1

exploitability

6.1

remediation

0.0

relevance

2.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ATutor SQL Injection Vulnerability in Admin User Deletion Page

Vulnerability

Impact

Reproduction

Affected Products

ATutor

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating