Themeum Tutor LMS
Moderate fix1 remedy
cpe:2.3:a:themeum:tutor_lms:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 3.9.8
Tutor LMS SQL Injection Vulnerability in WordPress
Vulnerability
Patched
A SQL injection vulnerability has been identified in the Tutor LMS plugin for WordPress, affecting versions through 3.9.8. The issue arises from inadequate escaping of the 'date' parameter, which is directly interpolated into a SQL fragment before being passed to the database preparation function. This vulnerability allows authenticated attackers with Admin-level access to append additional SQL queries and extract sensitive information from the database.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to access or modify database information. In this case, it could lead to unauthorized data disclosure.
Reproduction
To reproduce this vulnerability, an authenticated user with Admin-level access can send a request to the Instructors List page of the Tutor LMS plugin, including a crafted 'date' parameter that exploits the SQL injection flaw. The vulnerability can be triggered through the WordPress admin interface by navigating to the Instructors List and using the bulk action feature to update instructor statuses, which involves the vulnerable 'date' parameter.
Remediation
Users are advised to update the Tutor LMS plugin to version 3.9.9 or later, where this vulnerability has been patched.
Added: Apr 17, 2026, 5:23 AM
Updated: Apr 17, 2026, 5:23 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
5.0exploitability
6.0remediation
7.7relevance
6.1threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.