CVE-2026-6080

| EUVD-2026-23364 MEDIUM
2026-04-17 Wordfence
WordPress SQLi
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Apr 17, 2026 - 04:41 vuln.today

DescriptionNVD

The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb->prepare(). This makes it possible for authenticated attackers with Admin-level access and above to append additional SQL queries and extract sensitive information from the database.

AnalysisAI

SQL injection in Tutor LMS plugin for WordPress through version 3.9.8 allows authenticated Admin-level attackers to extract sensitive database information by injecting malicious SQL via the 'date' parameter, which is insufficiently escaped before being interpolated into a SQL fragment passed to $wpdb->prepare(). The vulnerability requires Admin authentication and does not permit data modification or denial of service. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-6080 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy