Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2024-1751SQL Injection in Tutor LMS

CWE-89SQL Injection5 documents5 sources
Severity
8.8HIGHNVD
EPSS
35.2%
top 2.95%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Themeum Tutor LMSThemeum Tutor LMS Elearning AND Online Course Solution
Timeline
PublishedMar 13
Latest updateApr 12

Description

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the question_id parameter in all versions up to, and including, 2.6.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber/student access or higher, to append additional SQL queries into already existing queries that can be used to extract sen

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDthemeum/tutor_lms< 2.6.2

🔴Vulnerability Details

3
VulDB
Tutor LMS Plugin up to 2.6.1 on WordPress sql injection2026-04-12
GHSA
GHSA-gf3f-c8q8-x35q: The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the question_id parameter in a2024-03-13
CVEList
Tutor LMS – eLearning and online course solution <= 2.6.1 - Authenticated (Subscriber+) SQL Injection2024-03-13

💥Exploits & PoCs

1
Nuclei
Tutor LMS <= 2.1.10 - SQL Injection
CVE-2024-1751 — SQL Injection in Themeum Tutor LMS | cvebase