Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Administrator credentials required (PR:H); network-accessible admin panel (AV:N); read-only SQL injection yields confidentiality impact only (C:H/I:N/A:N).
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 3.9.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AnalysisAI
SQL injection in Tutor LMS (WordPress plugin by Themeum) exposes the underlying database to read-access by any authenticated administrator. The flaw resides in the withdrawal-request management flow - specifically WithdrawModel.php and withdraw_requests.php - where a 'data' parameter is passed to SQL queries without adequate escaping or parameterization. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress user account with administrator-level role (or higher, e.g., Super Admin on multisite). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 4.9 with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N accurately reflects the attack prerequisites: the vulnerability is network-reachable but requires administrator-level credentials (PR:H), which substantially limits the attacker pool. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with valid WordPress administrator credentials logs into the wp-admin panel and navigates to the Tutor LMS withdrawal-requests management interface. By submitting a crafted value in the 'data' parameter - exploiting the lack of parameterized queries in WithdrawModel.php - the attacker appends a UNION- or stacked-query payload to extract arbitrary table contents, including WordPress user password hashes, email addresses, private course data, and stored payment information. … |
| Remediation | Vendor-released patch: version 3.9.12. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
{id} - complicates both detection and opportunistic exploitation, as the attacker cannot independently fire the injected
Stored Cross-Site Scripting in Tutor LMS (WordPress plugin by Themeum) versions through 3.9.13 allows authenticated atta
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37846
GHSA-rpm3-wm83-49v2