Skip to main content

Tutor LMS EUVDEUVD-2026-44888

| CVE-2026-15022 MEDIUM
SQL Injection (CWE-89)
2026-07-16 Wordfence GHSA-ghjh-hcg5-5c66
6.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
MEDIUM
qualitative
NVD
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.7 MEDIUM

UI:R reflects that a privileged user must actively call the REST endpoint to trigger SQL execution; all other metrics align with the provided vector.

3.1 AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 09:06 vuln.today
CVE Published
Jul 16, 2026 - 07:51 cve.org
MEDIUM 6.5

DescriptionNVD

The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via Stored Quiz Answer Array in all versions up to, and including, 4.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The payload is stored at quiz-attempt time via the wp_ajax_tutor_quiz_abandon handler, but the injected SQL executes only when a privileged user or Tutor REST API key holder requests the /wp-json/tutor/v1/quiz-attempt-details/{id} endpoint, making this a second-order (stored) injection chain.

AnalysisAI

{id} - complicates both detection and opportunistic exploitation, as the attacker cannot independently fire the injected SQL. No public exploit code or CISA KEV listing has been identified at time of analysis, and EPSS data was not provided.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate as student-level WordPress user
Delivery
Enroll in quiz-bearing course
Exploit
Submit crafted answer array via wp_ajax_tutor_quiz_abandon containing SQL payload
Install
Payload persisted in database without sanitization
C2
Privileged admin or REST API key holder requests /wp-json/tutor/v1/quiz-attempt-details/{id}
Execute
Stored payload executes through QueryHelper.php SQL context
Impact
Sensitive database records exfiltrated

Vulnerability AssessmentAI

Exploitation The attacker must hold a WordPress account with at minimum custom-level role access as defined by Tutor LMS - equivalent to a course student or subscriber - sufficient to invoke the wp_ajax_tutor_quiz_abandon AJAX handler, which requires active enrollment in a quiz-bearing course. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) rates confidentiality impact as High, which is consistent with the ability to exfiltrate arbitrary database contents including WordPress user credentials and course data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers as a student on a Tutor LMS-powered WordPress site and enrolls in any quiz-bearing course. During a quiz attempt, they submit a crafted abandonment request to wp_ajax_tutor_quiz_abandon containing a SQL injection payload embedded in the answer array; the payload is stored in the database without sanitization. …
Remediation No patched version is explicitly identified in the available intelligence data - the source code references at tags 3.9.9 and 3.9.13 reflect vulnerable code locations, not fixed releases, and no changelog entry or fixed version number was provided. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-44888 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy