Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This vulnerability was partially mitigated in versions 3.9.4 and 3.9.6.
Published: 2026-02-28
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data extraction
Action: Patch
AI Analysis

Impact

An unauthenticated SQL injection flaw exists in the Tutor LMS – eLearning and online course solution plugin for WordPress. The vulnerability is triggered by the coupon_code parameter, which lacks adequate escaping and statement preparation. By injecting malicious SQL, an attacker could forge additional SQL statements that run against the backend database, potentially causing the extraction of sensitive data such as user credentials, course content, and payment information. The flaw is a classic injection weakness identified as CWE‑89.

Affected Systems

All releases of the Tutor LMS plugin up to and including version 3.9.6 are affected. The affected vendor is Themeum, whose Tutor LMS product is widely deployed on WordPress sites for e‑learning and online courses. Despite partial mitigation efforts in versions 3.9.4 and 3.9.6, the flaw remains present through 3.9.6 and any earlier releases.

Risk and Exploitability

The CVSS base score of 7.5 marks this issue as high‑severity, with an EPSS score of less than 1 % indicating a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Because the flaw is unauthenticated and can be triggered simply by accessing the coupon_code parameter, attackers could exploit it from any network boundary. In practice, unless mitigated by firewalls or patching, the risk is moderate to high depending on site exposure.

Generated by OpenCVE AI on April 22, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tutor LMS to a version newer than 3.9.6 (or the latest available release that contains the fix).
  • Implement a web application firewall or an input validation layer to block malicious SQL payloads on the coupon_code parameter.
  • Restrict the coupon_code parameter to authenticated users only and enforce least-privilege on the database account used by WordPress, ensuring it cannot execute arbitrary queries.
  • Monitor database logs for anomalous query patterns that could indicate injection attempts.

Generated by OpenCVE AI on April 22, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Themeum
Themeum tutor Lms – Elearning And Online Course Solution
Wordpress
Wordpress wordpress
Vendors & Products Themeum
Themeum tutor Lms – Elearning And Online Course Solution
Wordpress
Wordpress wordpress

Sat, 28 Feb 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This vulnerability was partially mitigated in versions 3.9.4 and 3.9.6.
Title Tutor LMS <= 3.9.6 - Unauthenticated SQL Injection via coupon_code
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Themeum Tutor Lms – Elearning And Online Course Solution
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:32:19.793Z

Reserved: 2025-11-25T18:00:47.434Z

Link: CVE-2025-13673

cve-icon Vulnrichment

Updated: 2026-03-02T15:30:23.143Z

cve-icon NVD

Status : Deferred

Published: 2026-02-28T08:15:58.317

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13673

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:30:20Z

Weaknesses