Tutor Lms Pro
Monthly
SQL injection in Tutor LMS Pro (Themeum) versions 3.9.6 and earlier allows remote unauthenticated attackers to inject arbitrary SQL against the underlying WordPress database. The CVSS 9.3 rating reflects a scope change with high confidentiality impact, meaning data accessible to the WordPress backend can be exposed. As of analysis, no public exploit identified at time of analysis, and the issue is tracked via Patchstack.
Authentication bypass in Tutor LMS Pro WordPress plugin (versions through 3.9.4) allows remote attackers to abuse authentication mechanisms via alternate paths, potentially gaining unauthorized administrative access. CVSS 8.1 reflects high attack complexity (AC:H) requiring specific conditions, yet successful exploitation grants complete system compromise (C:H/I:H/A:H). EPSS probability of 0.02% (6th percentile) indicates low observed exploitation activity. No active exploitation confirmed by CISA KEV. SSVC framework classifies this as non-automatable with total technical impact, making it a priority for organizations running this WordPress LMS plugin despite low real-world exploitation signals.
SQL injection in Tutor LMS Pro (Themeum) versions 3.9.6 and earlier allows remote unauthenticated attackers to inject arbitrary SQL against the underlying WordPress database. The CVSS 9.3 rating reflects a scope change with high confidentiality impact, meaning data accessible to the WordPress backend can be exposed. As of analysis, no public exploit identified at time of analysis, and the issue is tracked via Patchstack.
Authentication bypass in Tutor LMS Pro WordPress plugin (versions through 3.9.4) allows remote attackers to abuse authentication mechanisms via alternate paths, potentially gaining unauthorized administrative access. CVSS 8.1 reflects high attack complexity (AC:H) requiring specific conditions, yet successful exploitation grants complete system compromise (C:H/I:H/A:H). EPSS probability of 0.02% (6th percentile) indicates low observed exploitation activity. No active exploitation confirmed by CISA KEV. SSVC framework classifies this as non-automatable with total technical impact, making it a priority for organizations running this WordPress LMS plugin despite low real-world exploitation signals.