The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versio...
Description
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3
AI Analyst Comment
Remediation
Update WordPress plugin/theme to the latest version. Review WordPress security settings and remove if no longer needed.
---METADATA---
VENDOR: Themeum
PRODUCT: Tutor LMS Plugin
AFFECTED_VERSIONS: All versions up to, and including, 3
---END_METADATA---
Description Summary:
The Tutor LMS plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter, potentially allowing for unauthorized database access.
Executive Summary:
A critical SQL Injection vulnerability in the Tutor LMS plugin for WordPress allows attackers to manipulate database queries, risking the theft of sensitive learner and instructor data.
Vulnerability Details
CVE-ID: CVE-2025-13673
Affected Software: Themeum Tutor LMS Plugin
Affected Versions: All versions up to, and including, 3
Vulnerability: The vulnerability is a SQL Injection flaw located in the 'coupon_code' parameter of the Tutor LMS plugin. This allows an attacker—potentially unauthenticated if the coupon field is accessible on public checkout pages—to inject malicious SQL commands into the database query.
Business Impact
Successful exploitation could lead to the unauthorized disclosure of sensitive information, including user emails, hashed passwords, and course data. The CVSS score of 7.5 reflects a high severity, as SQL injection can often be used to bypass authentication and gain full control over the application's database.
Remediation Plan
Immediate Action: Update the Tutor LMS plugin to the latest patched version immediately to resolve the insecure handling of the 'coupon_code' parameter.
Proactive Monitoring: Monitor database logs for unusual query patterns or syntax errors associated with the 'coupon_code' field.
Compensating Controls: Deploy a Web Application Firewall (WAF) with SQL injection protection enabled to intercept and block malicious payloads before they reach the application.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of March 1, 2026, there is no public information indicating active exploitation of this vulnerability. However, SQL injection in a popular LMS plugin is a high-value target for attackers looking to harvest user data.
Analyst Recommendation
This vulnerability should be addressed with high priority. Organizations using Tutor LMS must apply the latest update immediately to protect their student and instructor data from unauthorized access and potential theft.