CVE-2026-6080 - Vulnerability Details

- Tutor LMS <= 3.9.8 - Authenticated (Admin+) SQL Injection via 'date' Parameter

Description

The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb->prepare(). This makes it possible for authenticated attackers with Admin-level access and above to append additional SQL queries and extract sensitive information from the database.

Published: 2026-04-17

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Tutor LMS plugin for WordPress contains an SQL injection flaw that allows an authenticated attacker with Administrator or higher privileges to inject additional SQL statements via the 'date' URL parameter. The vulnerability arises because the parameter is not properly escaped before being concatenated into a SQL fragment passed to $wpdb->prepare(), enabling arbitrary query execution. This flaw can result in the theft of sensitive database contents, such as user data and course information, while leaving system integrity and availability largely intact.

Affected Systems

The affected product is Tutor LMS, developed by themeum, for WordPress sites. Versions up to and including 3.9.8 are impacted. Users running those or earlier releases of the plugin should review their version and consider remedial action.

Risk and Exploitability

The vulnerability has a CVSS score of 6.5, indicating a moderate-to-high severity. Exploitability is contingent on administrative access to the WordPress dashboard or to the specific instructor list page. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog. Because the attacker must be authenticated, the attack vector is indirect and requires the attacker to have existing login credentials with sufficient privileges. Once activated, the injected queries can extract database content, but the flaw does not provide full remote code execution or denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

themeum

Tutor LMS – eLearning and online course solution

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.9.8

No data.

Vendor Product Confidence Versions

Themeum

Tutor Lms – Elearning And Online Course Solution

100%

Version	Status	Scheme	Platform
`[0,3.9.8]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Tutor LMS plugin to version 3.9.9 or later, which resolves the SQL injection issue.
If an upgrade cannot be performed immediately, remove or disable the 'date' parameter from the instructor listing URL, or modify the Instructors_List.php files to enforce parameter sanitization before building the SQL query.
Restrict administrative privileges to trusted users only, review WordPress roles, and audit user accounts for potential compromise, to reduce the chances of an attacker gaining the required access to trigger the flaw.

Generated by OpenCVE AI on April 17, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/classes/Instructors_List.php#L376
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/classes/Instructors_List.php#L451
https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/views/pages/instructors.php#L38
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Instructors_List.php#L376
https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Instructors_List.php#L451
https://plugins.trac.wordpress.org/browser/tutor/trunk/views/pages/instructors.php#L38
https://plugins.trac.wordpress.org/changeset/3505142/tutor/tags/3.9.9/classes/Instructors_List.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/6dd041ff-a0a3-4d1f-83e0-6ec2a978e9cf?source=cve

History

Fri, 17 Apr 2026 05:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Themeum Themeum tutor Lms – Elearning And Online Course Solution Wordpress Wordpress wordpress
Vendors & Products		Themeum Themeum tutor Lms – Elearning And Online Course Solution Wordpress Wordpress wordpress

Fri, 17 Apr 2026 04:30:00 +0000

Type	Values Removed	Values Added
Description		The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb->prepare(). This makes it possible for authenticated attackers with Admin-level access and above to append additional SQL queries and extract sensitive information from the database.
Title		Tutor LMS <= 3.9.8 - Authenticated (Admin+) SQL Injection via 'date' Parameter
Weaknesses		CWE-89
References		https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/classes/Instructors_List.php#L376 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/classes/Instructors_List.php#L451 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/views/pages/instructors.php#L38 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Instructors_List.php#L376 https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Instructors_List.php#L451 https://plugins.trac.wordpress.org/browser/tutor/trunk/views/pages/instructors.php#L38 https://plugins.trac.wordpress.org/changeset/3505142/tutor/tags/3.9.9/classes/Instructors_List.php https://www.wordfence.com/threat-intel/vulnerabilities/id/6dd041ff-a0a3-4d1f-83e0-6ec2a978e9cf?source=cve
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Themeum Tutor Lms – Elearning And Online Course Solution

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-04-17T03:36:44.234Z

Updated: 2026-04-17T03:36:44.234Z

Reserved: 2026-04-10T14:52:47.051Z

Link: CVE-2026-6080

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-17T05:16:19.430

Modified: 2026-04-17T05:16:19.430

Link: CVE-2026-6080

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T06:00:09Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object