What is the CVSS score of CVE-2020-37147?

CVE-2020-37147 has a CVSS 3.1 base score of 7.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of PHP are affected by CVE-2020-37147?

ATutor 2.2.4 installations contain a SQL injection vulnerability in the admin user management interface that could allow authenticated administrators with malicious intent to manipulate or exfiltrate…

Is there a public PoC exploit available for CVE-2020-37147?

Yes, a public proof-of-concept exploit is available for CVE-2020-37147. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2020-37147?

Within 24 hours: Audit all admin accounts with user deletion privileges and review recent deletion activity logs for anomalies. Within 7 days: Implement network segmentation to restrict admin interface access to trusted IP ranges and enforce multi-factor authentication for administrative accounts. Within 30 days: Evaluate upgrade feasibility to a patched version or decommission ATutor if not operationally critical; if retention is necessary, deploy a Web Application Firewall (WAF) with SQL injection detection rules targeting the user deletion endpoint.

PHP CVE-2020-37147

HIGH

SQL Injection (CWE-89)

2026-02-07 disclosure@vulncheck.com

PHP SQLi

7.1

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

7.1 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 09, 2026 - 16:08 vuln.today

Public exploit code

CVE Published

Feb 07, 2026 - 00:15 nvd

HIGH 7.1

DescriptionCVE.org

ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows authenticated attackers to manipulate database queries through the 'id' parameter. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'id' parameter of the admin_delete.php script to potentially extract or modify database information.

AnalysisAI

ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows authenticated attackers to manipulate database queries through the 'id' parameter. [CVSS 7.1 HIGH]

Technical ContextAI

Classified as CWE-89 (SQL Injection). Affects admin user deletion page. ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows authenticated attackers to manipulate database queries through the 'id' parameter. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'id' parameter of the admin_delete.php script to potentially extract or modify database information.

Affected ProductsAI

Product: admin user deletion page.

RemediationAI

Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.