Impact
An unauthenticated SQL Injection vulnerability exists in the Tutor LMS Pro plugin for WordPress versions 3.9.6 and earlier. The flaw allows an attacker to craft input that is incorporated unchecked into database queries, enabling the execution of arbitrary SQL statements. This can lead to data theft and data manipulation. The weakness is classified as CWE-89.
Affected Systems
WordPress installations that have the Tutor LMS Pro plugin from Themeum installed in version 3.9.6 or earlier are affected. No specific operating system, PHP version, or WordPress core version constraints are mentioned. All deployments of the vulnerable plugin with exposed endpoints are at risk if the platform is reachable from the internet.
Risk and Exploitability
The CVSS score of 9.3 marks the defect as critical. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, yet the possibility of remote exploitation remains high. Attackers can potentially exploit the flaw by sending specially crafted requests to the plugin’s endpoints without authentication. It is inferred that the likely attack vector is HTTP requests targeting these endpoints, as is typical for web application vulnerabilities, although the CVE description does not explicitly state the method.
OpenCVE Enrichment