CVE-2025-6184SQL Injection in Tutor LMS PRO

CWE-89SQL Injection3 documents3 sources
Severity
8.8HIGHNVD
EPSS
0.0%
top 89.49%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Themeum Tutor LMS PRO
Timeline
PublishedAug 13

Description

The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter used in the get_submitted_assignments() function in all versions up to, and including, 3.7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Tutor-level access and above, to append additional SQL queries into already existi

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

CVEListV5themeum/tutor_lms_pro3.7.0

🔴Vulnerability Details

2
GHSA
GHSA-chjx-46j3-jv4m: The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter used2025-08-13
CVEList
Tutor LMS Pro – eLearning and online course solution <= 3.7.0 - Authenticated (Tutor Instructor+) SQL Injection2025-08-13
CVE-2025-6184 — SQL Injection in Themeum Tutor LMS PRO | cvebase