Description
The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter used in the get_submitted_assignments() function in all versions up to, and including, 3.7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Tutor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Only the Pro version is affected.
Published: 2025-08-13
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Immediate Patch
AI Analysis

Impact

The plugin contains a time‑based SQL Injection flaw in the order parameter of the get_submitted_assignments() function. Because the value is concatenated directly into an SQL statement without proper escaping or parameterization, an attacker who can log in as a Tutor Instructor or higher can append malicious SQL to the query. This allows unauthorized extraction of arbitrary data from the database, effectively compromising confidentiality and potentially enabling further exploitation if the database contains sensitive user or system information.

Affected Systems

WordPress sites using the Tutor LMS Pro plugin, version 3.7.0 or earlier, including the 3.7.0 release. Only the Pro edition is affected; the free version is not vulnerable.

Risk and Exploitability

The CVSS v3 score of 8.8 indicates high severity, while the EPSS score of less than 1% suggests that the likelihood of exploitation is low at the time of this analysis. However, the vulnerability is included for authenticated users with Tutor Instructor+ privileges, a role that many course administrators possess. The flaw is not listed in the CISA KEV catalog, but the nature of the SQL injection remains a critical concern for any site that handles sensitive data through this plugin.

Generated by OpenCVE AI on April 22, 2026 at 00:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tutor LMS Pro to version 3.8 or newer, which removes the vulnerable code path
  • If an upgrade is not immediately possible, restrict access so that only trusted users have Tutor Instructor+ role
  • Monitor logs for suspicious SQL activity

Generated by OpenCVE AI on April 22, 2026 at 00:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24547 The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter used in the get_submitted_assignments() function in all versions up to, and including, 3.7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Tutor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Only the Pro version is affected.
History

Thu, 14 Aug 2025 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Themeum
Themeum tutor Lms
Wordpress
Wordpress wordpress
Vendors & Products Themeum
Themeum tutor Lms
Wordpress
Wordpress wordpress

Wed, 13 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 Aug 2025 06:45:00 +0000

Type Values Removed Values Added
Description The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter used in the get_submitted_assignments() function in all versions up to, and including, 3.7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Tutor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Only the Pro version is affected.
Title Tutor LMS Pro – eLearning and online course solution <= 3.7.0 - Authenticated (Tutor Instructor+) SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Themeum Tutor Lms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:50:57.980Z

Reserved: 2025-06-16T18:24:38.972Z

Link: CVE-2025-6184

cve-icon Vulnrichment

Updated: 2025-08-13T13:28:47.688Z

cve-icon NVD

Status : Deferred

Published: 2025-08-13T07:15:27.660

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6184

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:00:04Z

Weaknesses