{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6080", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-10T14:52:47.051Z", "datePublished": "2026-04-17T03:36:44.234Z", "dateUpdated": "2026-04-17T03:36:44.234Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-17T03:36:44.234Z"}, "affected": [{"vendor": "themeum", "product": "Tutor LMS \u2013 eLearning and online course solution", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.9.8", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb->prepare(). This makes it possible for authenticated attackers with Admin-level access and above to append additional SQL queries and extract sensitive information from the database."}], "title": "Tutor LMS <= 3.9.8 - Authenticated (Admin+) SQL Injection via 'date' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6dd041ff-a0a3-4d1f-83e0-6ec2a978e9cf?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/classes/Instructors_List.php#L376"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Instructors_List.php#L376"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/views/pages/instructors.php#L38"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/views/pages/instructors.php#L38"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/classes/Instructors_List.php#L451"}, {"url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Instructors_List.php#L451"}, {"url": "https://plugins.trac.wordpress.org/changeset/3505142/tutor/tags/3.9.9/classes/Instructors_List.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "PRISM"}], "timeline": [{"time": "2026-04-10T15:07:56.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-16T15:15:35.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb->prepare(). This makes it possible for authenticated attackers with Admin-level access and above to append additional SQL queries and extract sensitive information from the database."}], "id": "CVE-2026-6080", "lastModified": "2026-04-17T05:16:19.430", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-17T05:16:19.430", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/classes/Instructors_List.php#L376"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/classes/Instructors_List.php#L451"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/views/pages/instructors.php#L38"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Instructors_List.php#L376"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Instructors_List.php#L451"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tutor/trunk/views/pages/instructors.php#L38"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3505142/tutor/tags/3.9.9/classes/Instructors_List.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6dd041ff-a0a3-4d1f-83e0-6ec2a978e9cf?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.9.8]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Tutor LMS \u2013 eLearning and online course solution", "source": "cna", "vendor": "themeum"}, "product": "tutor_lms_\u2013_elearning_and_online_course_solution", "vendor": "themeum"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-17T05:51:57.132328+00:00", "value": {"mitigation_remediation": ["Upgrade the Tutor LMS plugin to version 3.9.9 or later, which resolves the SQL injection issue.", "If an upgrade cannot be performed immediately, remove or disable the 'date' parameter from the instructor listing URL, or modify the Instructors_List.php files to enforce parameter sanitization before building the SQL query.", "Restrict administrative privileges to trusted users only, review WordPress roles, and audit user accounts for potential compromise, to reduce the chances of an attacker gaining the required access to trigger the flaw."], "summary": {"action": "Patch Immediately", "impact": "SQL Injection leading to data disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is Tutor LMS, developed by themeum, for WordPress sites. Versions up to and including 3.9.8 are impacted. Users running those or earlier releases of the plugin should review their version and consider remedial action.", "description_and_impact": "The Tutor LMS plugin for WordPress contains an SQL injection flaw that allows an authenticated attacker with Administrator or higher privileges to inject additional SQL statements via the 'date' URL parameter. The vulnerability arises because the parameter is not properly escaped before being concatenated into a SQL fragment passed to $wpdb->prepare(), enabling arbitrary query execution. This flaw can result in the theft of sensitive database contents, such as user data and course information, while leaving system integrity and availability largely intact.", "risk_and_exploitability": "The vulnerability has a CVSS score of 6.5, indicating a moderate-to-high severity. Exploitability is contingent on administrative access to the WordPress dashboard or to the specific instructor list page. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog. Because the attacker must be authenticated, the attack vector is indirect and requires the attacker to have existing login credentials with sufficient privileges. Once activated, the injected queries can extract database content, but the flaw does not provide full remote code execution or denial of service."}}}}, "created": "2026-04-17T05:30:10.324480+00:00", "updated": "2026-04-17T06:00:09.271892+00:00", "vendors": ["themeum", "themeum$PRODUCT$tutor_lms_\u2013_elearning_and_online_course_solution", "wordpress", "wordpress$PRODUCT$wordpress"]}