Wordfence disclosed a critical SQL injection vulnerability in the Tutor LMS Pro WordPress plugin affecting versions up to and including 3.7.0. The flaw is patched in version 3.7.1. Site owners should update promptly.
Tutor LMS Pro vulnerability
The vulnerability stems from insufficient input escaping and a lack of prepared SQL statements. An authenticated user with the Tutor Instructor role can exploit a time-based SQL injection via the order parameter in the get_submitted_assignments() function, potentially exposing sensitive data from the WordPress database.
Key details
- Severity: 8.8 CVSS v3, per Wordfence
- Affected product: Tutor LMS Pro - e-learning and online course solution for WordPress
- Affected versions: all versions up to and including 3.7.0
- Fixed version: 3.7.1
- Attack vector: order parameter in get_submitted_assignments()
- Required access: authenticated Tutor Instructor role
- Impact: potential extraction of sensitive information from the WordPress database
- Source: Wordfence Threat Intelligence advisory
Background
The advisory attributes the issue to improper handling of user input and missing prepared SQL statements. These conditions allowed injection through the order parameter.
In a time-based SQL injection, an attacker infers data by introducing controlled delays in database responses. Measuring those delays can reveal whether certain conditions are true, allowing sensitive information to be deduced over time.
Recommended actions
- Update Tutor LMS Pro to version 3.7.1 or later
- Limit and audit Tutor Instructor role accounts
- Review logs for unusual database delays or suspicious queries related to assignment submissions
- Use a web application firewall to help block SQL injection attempts
Source
For technical details, see the Wordfence advisory.
.svg)
.svg)
.svg)