CVE-2026-6080

MEDIUM

Tutor LMS <= 3.9.8 - Authenticated (Admin+) SQL Injection via 'date' Parameter

Title source: cna

Description

The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb->prepare(). This makes it possible for authenticated attackers with Admin-level access and above to append additional SQL queries and extract sensitive information from the database.

References (8)

https://www.wordfence.com/threat-intel/vulnerabilities/id/6dd041ff-a0a3-4d1f-83e0-6ec2a978e9cf?source=cve

https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/classes/Instructors_List.php#L376

https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Instructors_List.php#L376

https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/views/pages/instructors.php#L38

https://plugins.trac.wordpress.org/browser/tutor/trunk/views/pages/instructors.php#L38

https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.8/classes/Instructors_List.php#L451

https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Instructors_List.php#L451

https://plugins.trac.wordpress.org/changeset/3505142/tutor/tags/3.9.9/classes/Instructors_List.php

Scores

CVSS v3 6.5

EPSS 0.0002

EPSS Percentile 3.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

themeum/Tutor LMS – eLearning and online course solution < 3.9.8

Published Apr 17, 2026

Tracked Since Apr 17, 2026