Impact
The eLearning plugin is vulnerable to generic SQL Injection via the data parameter, allowing authenticated users with administrator privileges to append malicious SQL. This flaw can compromise confidentiality by extracting database contents but does not provide immediate remote code execution or denial of service. The weakness originates from insufficient escaping and lack of query preparation, as identified by CWE‑89.
Affected Systems
The vulnerability affects all versions of Tutor LMS through 3.9.11, published by themeum. Stakeholders running this plugin on WordPress sites must assess whether their installations employ administrator‑level roles or higher. Versions newer than 3.9.11 are of interest.
Risk and Exploitability
The CVSS score of 4.9 indicates moderate impact, and the EPSS score below 1% suggests the likelihood of exploitation is low. The fault requires authenticated access, thus limiting attackers to those with admin credentials. Because the flaw is not listed in CISA KEV, no immediate public exploitation is known. Nonetheless, the ability to read sensitive data remains a concern.
OpenCVE Enrichment