Wordfence has disclosed a critical time-based SQL injection in the Tutor LMS Pro WordPress plugin that could let an authenticated attacker extract sensitive database information. The flaw affects versions up to and including 3.7.0 and carries a CVSS score of 8.8. A patch is available in version 3.7.1, according to the Wordfence advisory.
Tutor LMS Pro WordPress Plugin Vulnerability
The vulnerability is a time-based SQL injection due to insufficient escaping of user input and inadequate query preparation. The vulnerable parameter is "order" in the get_submitted_assignments() function. Exploitation requires authenticated access.
Key Details
- Product: Tutor LMS Pro - e-learning and online course solution for WordPress.
- Affected versions: up to and including 3.7.0.
- Vulnerability type: time-based SQL injection.
- Attack vector: "order" parameter in get_submitted_assignments().
- Authentication: required for exploitation.
- Impact: potential extraction of sensitive database information.
- Severity: CVSS score 8.8, as reported by Wordfence.
- Advisory source: Wordfence advisory.
- Patched version: 3.7.1.
Background Context
Tutor LMS Pro is a commercial WordPress plugin developed by Themeum to build and manage online courses. It operates alongside the free Tutor LMS core plugin.
In a time-based SQL injection, attackers infer data by triggering deliberate delays in database responses. This can reveal information without direct output. Wordfence notes the flaw is reachable by authenticated users.
What Site Owners Should Do
- Update Tutor LMS Pro to version 3.7.1 or later as soon as possible.
- Limit access to trusted authenticated users until the update is applied.
- Review recent activity for signs of exploitation attempts.
Source
Primary source: Wordfence advisory.
.svg)
.svg)
.svg)