Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 3.9.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-06-18
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The eLearning plugin is vulnerable to generic SQL Injection via the data parameter, allowing authenticated users with administrator privileges to append malicious SQL. This flaw can compromise confidentiality by extracting database contents but does not provide immediate remote code execution or denial of service. The weakness originates from insufficient escaping and lack of query preparation, as identified by CWE‑89.

Affected Systems

The vulnerability affects all versions of Tutor LMS through 3.9.11, published by themeum. Stakeholders running this plugin on WordPress sites must assess whether their installations employ administrator‑level roles or higher. Versions newer than 3.9.11 are of interest.

Risk and Exploitability

The CVSS score of 4.9 indicates moderate impact, and the EPSS score below 1% suggests the likelihood of exploitation is low. The fault requires authenticated access, thus limiting attackers to those with admin credentials. Because the flaw is not listed in CISA KEV, no immediate public exploitation is known. Nonetheless, the ability to read sensitive data remains a concern.

Generated by OpenCVE AI on June 18, 2026 at 17:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tutor LMS to version 3.9.12 or later.
  • Verify that the database queries use prepared statements and proper parameter sanitization.
  • Restrict administrator privileges and audit role assignments for potential unauthorized access.
  • Monitor database logs for suspicious query patterns and review access controls regularly.

Generated by OpenCVE AI on June 18, 2026 at 17:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Themeum
Themeum tutor Lms – Elearning And Online Course Solution
Wordpress
Wordpress wordpress
Vendors & Products Themeum
Themeum tutor Lms – Elearning And Online Course Solution
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 3.9.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Tutor LMS <= 3.9.11 - Authenticated (Administrator+) SQL Injection via 'data' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Subscriptions

Themeum Tutor Lms – Elearning And Online Course Solution
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-18T15:52:02.866Z

Reserved: 2026-06-03T12:58:16.370Z

Link: CVE-2026-10736

cve-icon Vulnrichment

Updated: 2026-06-18T15:51:54.245Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T18:30:15Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')