A high-severity vulnerability has been identified in the Tutor LMS Pro plugin for WordPress, which could allow an unauthenticated attacker to steal sensitive information from the website's database. This flaw, a time-based SQL Injection, can be exploited to extract data such as user credentials, personal information, and course details, posing a significant risk to data confidentiality and site integrity. Organizations using the affected plugin should prioritize the recommended updates to prevent potential data breaches.

The vulnerability is a time-based SQL Injection within the get_submitted_assignments() function. The function fails to properly sanitize the user-supplied order parameter before incorporating it into a database query. An attacker can inject malicious SQL commands, including conditional time delays (e.g., WAITFOR DELAY or SLEEP), into this parameter. By measuring the server's response time to these crafted requests, the attacker can infer information from the database one character at a time, eventually exfiltrating entire tables of data.

This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation could lead to a significant data breach, compromising sensitive information such as student PII, instructor data, user credentials, and proprietary course content. The business impact includes severe reputational damage, loss of customer trust, potential regulatory fines (e.g., GDPR, CCPA), and the cost associated with incident response and recovery. Depending on the database user's privileges, an attacker could potentially escalate their access, leading to a full compromise of the WordPress site.

Immediate Action: Immediately update the Tutor LMS Pro plugin to the latest patched version provided by the vendor. After updating, review all WordPress security settings to ensure they align with best practices. If the plugin is no longer required for business operations, it should be deactivated and removed completely to eliminate the attack surface.

Proactive Monitoring: Monitor web server access logs for unusual or repeated requests targeting the application's assignment-related functions, specifically looking for suspicious patterns in the order parameter. Implement database query logging to detect abnormally long-running queries, which are characteristic of time-based SQL injection attacks. A Web Application Firewall (WAF) should be configured to log and block SQL injection attempts.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with strict rules designed to detect and block SQL injection patterns. Harden the database by ensuring the WordPress database user has the minimum necessary permissions (principle of least privilege), which can limit an attacker's ability to read from sensitive tables or modify data.

Public Exploit Available: False

Given the high CVSS score of 8.8 and the critical nature of a SQL injection vulnerability, we strongly recommend that immediate action is taken to apply the vendor-supplied patch. The potential for a complete database compromise presents a severe risk to the organization. Although this CVE is not yet on the CISA KEV list, organizations should treat it with the highest priority and apply remediation without delay to prevent data exfiltration and protect the integrity of the learning management system.