Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Tutor LMS plugin for WordPress exposes sensitive data to attackers
CVE-2026-6080
Summary
The Tutor LMS plugin for WordPress has a security flaw that can allow attackers with admin access to steal sensitive information from the database. This affects versions up to 3.9.8. Update to the latest version to fix the issue.
Original title
The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct interpolat...
Original description
The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb->prepare(). This makes it possible for authenticated attackers with Admin-level access and above to append additional SQL queries and extract sensitive information from the database.
nvd CVSS3.1
6.5
Vulnerability type
CWE-89
SQL Injection
- https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/classes/Instructors_...
- https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/classes/Instructors_...
- https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/views/pages/instruct...
- https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Instructors_List....
- https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Instructors_List....
- https://plugins.trac.wordpress.org/browser/tutor/trunk/views/pages/instructors.p...
- https://plugins.trac.wordpress.org/changeset/3505142/tutor/tags/3.9.9/classes/In...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6dd041ff-a0a3-4d1f-83e...
Published: 17 Apr 2026 · Updated: 17 Apr 2026 · First seen: 17 Apr 2026