A critical SQL Injection vulnerability in the Tutor LMS plugin for WordPress allows attackers to manipulate database queries, risking the theft of sensitive learner and instructor data.

The vulnerability is a SQL Injection flaw located in the 'coupon_code' parameter of the Tutor LMS plugin. This allows an attacker—potentially unauthenticated if the coupon field is accessible on public checkout pages—to inject malicious SQL commands into the database query.

Successful exploitation could lead to the unauthorized disclosure of sensitive information, including user emails, hashed passwords, and course data. The CVSS score of 7.5 reflects a high severity, as SQL injection can often be used to bypass authentication and gain full control over the application's database.

Immediate Action: Update the Tutor LMS plugin to the latest patched version immediately to resolve the insecure handling of the 'coupon_code' parameter.

Proactive Monitoring: Monitor database logs for unusual query patterns or syntax errors associated with the 'coupon_code' field.

Compensating Controls: Deploy a Web Application Firewall (WAF) with SQL injection protection enabled to intercept and block malicious payloads before they reach the application.

Public Exploit Available: false

This vulnerability should be addressed with high priority. Organizations using Tutor LMS must apply the latest update immediately to protect their student and instructor data from unauthorized access and potential theft.