Description
Unauthenticated SQL Injection in Tutor LMS Pro <= 3.9.6 versions.
Published: 2026-06-17
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated SQL Injection vulnerability exists in the Tutor LMS Pro plugin for WordPress versions 3.9.6 and earlier. The flaw allows an attacker to craft input that is incorporated unchecked into database queries, enabling the execution of arbitrary SQL statements. This can lead to data theft and data manipulation. The weakness is classified as CWE-89.

Affected Systems

WordPress installations that have the Tutor LMS Pro plugin from Themeum installed in version 3.9.6 or earlier are affected. No specific operating system, PHP version, or WordPress core version constraints are mentioned. All deployments of the vulnerable plugin with exposed endpoints are at risk if the platform is reachable from the internet.

Risk and Exploitability

The CVSS score of 9.3 marks the defect as critical. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, yet the possibility of remote exploitation remains high. Attackers can potentially exploit the flaw by sending specially crafted requests to the plugin’s endpoints without authentication. It is inferred that the likely attack vector is HTTP requests targeting these endpoints, as is typical for web application vulnerabilities, although the CVE description does not explicitly state the method.

Generated by OpenCVE AI on June 18, 2026 at 15:35 UTC.

Remediation

Vendor Solution

Update the WordPress Tutor LMS Pro plugin to the latest available version (at least 3.9.7).


OpenCVE Recommended Actions

  • Upgrade the Tutor LMS Pro plugin to version 3.9.7 or later to eliminate the vulnerability.
  • Configure the plugin so that only authenticated administrators can access the vulnerable endpoints, and restrict public access if not needed.
  • Enable logging and monitor database and web server logs for suspicious activity, and apply a web application firewall rule to block malicious SQL injection payloads.

Generated by OpenCVE AI on June 18, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Themeum
Themeum tutor Lms
Wordpress
Wordpress wordpress
Vendors & Products Themeum
Themeum tutor Lms
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated SQL Injection in Tutor LMS Pro <= 3.9.6 versions.
Title WordPress Tutor LMS Pro plugin <= 3.9.6 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Themeum Tutor Lms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:31:50.291Z

Reserved: 2026-01-07T12:21:02.765Z

Link: CVE-2026-22332

cve-icon Vulnrichment

Updated: 2026-06-17T13:37:34.558Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T07:30:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')