Skip to main content

Tutor LMS CVE-2026-10736

| EUVDEUVD-2026-37846 MEDIUM
SQL Injection (CWE-89)
2026-06-18 Wordfence GHSA-rpm3-wm83-49v2
4.9
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.9 MEDIUM

Administrator credentials required (PR:H); network-accessible admin panel (AV:N); read-only SQL injection yields confidentiality impact only (C:H/I:N/A:N).

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 18, 2026 - 06:21 vuln.today
CVE Published
Jun 18, 2026 - 05:34 cve.org
MEDIUM 4.9

DescriptionCVE.org

The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 3.9.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AnalysisAI

SQL injection in Tutor LMS (WordPress plugin by Themeum) exposes the underlying database to read-access by any authenticated administrator. The flaw resides in the withdrawal-request management flow - specifically WithdrawModel.php and withdraw_requests.php - where a 'data' parameter is passed to SQL queries without adequate escaping or parameterization. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress administrator credentials
Delivery
Authenticate to wp-admin panel
Exploit
Navigate to Tutor LMS withdrawal requests view
Execution
Submit crafted 'data' parameter with SQL payload
Persist
Trigger unsanitized SQL query in WithdrawModel.php
Impact
Exfiltrate sensitive database records

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress user account with administrator-level role (or higher, e.g., Super Admin on multisite). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 4.9 with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N accurately reflects the attack prerequisites: the vulnerability is network-reachable but requires administrator-level credentials (PR:H), which substantially limits the attacker pool. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with valid WordPress administrator credentials logs into the wp-admin panel and navigates to the Tutor LMS withdrawal-requests management interface. By submitting a crafted value in the 'data' parameter - exploiting the lack of parameterized queries in WithdrawModel.php - the attacker appends a UNION- or stacked-query payload to extract arbitrary table contents, including WordPress user password hashes, email addresses, private course data, and stored payment information. …
Remediation Vendor-released patch: version 3.9.12. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10736 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy