SQL Injection Vulnerability in Tutor LMS eLearning Plugin for WordPress
CVE-2026-15022

6.5MEDIUM

What is CVE-2026-15022?

The Tutor LMS plugin, used for eLearning and online courses, is susceptible to a generic SQL injection vulnerability due to inadequate escaping of user-supplied parameters in stored quiz answer arrays. This vulnerability allows authenticated attackers with custom-level access or higher to inject malicious SQL queries that can extract confidential information from the database. The vulnerable code interacts with the wp_ajax_tutor_quiz_abandon handler and executes the injected payload when privileges allow access to the quiz attempt details via the Tutor REST API. This mechanism highlights a serious concern for any site using the affected plugin version.

Affected Version(s)

Tutor LMS – eLearning and online course solution 0 <= 4.0.0

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Supakiad S. (m3ez)
.