Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
UI:R reflects that a privileged user must actively call the REST endpoint to trigger SQL execution; all other metrics align with the provided vector.
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via Stored Quiz Answer Array in all versions up to, and including, 4.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The payload is stored at quiz-attempt time via the wp_ajax_tutor_quiz_abandon handler, but the injected SQL executes only when a privileged user or Tutor REST API key holder requests the /wp-json/tutor/v1/quiz-attempt-details/{id} endpoint, making this a second-order (stored) injection chain.
AnalysisAI
{id} - complicates both detection and opportunistic exploitation, as the attacker cannot independently fire the injected SQL. No public exploit code or CISA KEV listing has been identified at time of analysis, and EPSS data was not provided.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must hold a WordPress account with at minimum custom-level role access as defined by Tutor LMS - equivalent to a course student or subscriber - sufficient to invoke the wp_ajax_tutor_quiz_abandon AJAX handler, which requires active enrollment in a quiz-bearing course. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) rates confidentiality impact as High, which is consistent with the ability to exfiltrate arbitrary database contents including WordPress user credentials and course data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers as a student on a Tutor LMS-powered WordPress site and enrolls in any quiz-bearing course. During a quiz attempt, they submit a crafted abandonment request to wp_ajax_tutor_quiz_abandon containing a SQL injection payload embedded in the answer array; the payload is stored in the database without sanitization. … |
| Remediation | No patched version is explicitly identified in the available intelligence data - the source code references at tags 3.9.9 and 3.9.13 reflect vulnerable code locations, not fixed releases, and no changelog entry or fixed version number was provided. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Stored Cross-Site Scripting in Tutor LMS (WordPress plugin by Themeum) versions through 3.9.13 allows authenticated atta
SQL injection in Tutor LMS (WordPress plugin by Themeum) exposes the underlying database to read-access by any authentic
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44888
GHSA-ghjh-hcg5-5c66