CVE-2025-13673
SQL Injection in Tutor LMS Plugin Allows Data Extraction
Publication date: 2026-02-28
Last updated on: 2026-02-28
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tutor_lms | tutor | to 3.9.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Tutor LMS plugin for WordPress has a vulnerability in the 'coupon_code' parameter that allows SQL Injection. This happens because the plugin does not properly escape or prepare the user-supplied input before including it in SQL queries.
As a result, an unauthenticated attacker can inject additional SQL commands into the query, potentially extracting sensitive information from the database.
Partial mitigations were introduced in versions 3.9.4 and 3.9.6, but the vulnerability exists in all versions up to and including 3.9.6.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to extract sensitive information from your website's database without authentication.
Since the attacker can manipulate SQL queries, they might access confidential data such as user information, course details, or other protected content stored in the database.
This could lead to data breaches, loss of user trust, and potential damage to your organization's reputation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The vulnerability in Tutor LMS versions up to and including 3.9.6 is partially mitigated in versions 3.9.4 and 3.9.6.
The immediate step to mitigate this vulnerability is to update the Tutor LMS plugin to version 3.9.7 or later, as this update addresses multiple aspects of the plugin and likely includes a fix for this SQL Injection vulnerability.