CVE-2025-6184 Overview
CVE-2025-6184 is a time-based SQL injection vulnerability in the Tutor LMS Pro WordPress plugin, an eLearning and online course solution. The flaw affects all versions up to and including 3.7.0 and resides in the get_submitted_assignments() function. The order parameter is not properly escaped, and the SQL query lacks sufficient preparation [CWE-89]. Authenticated attackers with Tutor-level access or higher can append arbitrary SQL to existing queries to extract sensitive data from the WordPress database. Only the Pro version of the plugin is affected.
Critical Impact
Authenticated attackers with Tutor-level privileges can exfiltrate sensitive database content, including user credentials, course material, and configuration data.
Affected Products
- Tutor LMS Pro plugin for WordPress, all versions up to and including 3.7.0
- WordPress sites where Tutor LMS Pro is installed and active
- Free (non-Pro) versions of Tutor LMS are not affected
Discovery Timeline
- 2025-08-13 - CVE-2025-6184 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-6184
Vulnerability Analysis
The vulnerability exists in the get_submitted_assignments() function within Tutor LMS Pro. This function accepts an order parameter from user input and concatenates it into a SQL query without applying wpdb::prepare() or equivalent escaping. The order parameter is typically used to specify ascending or descending sort direction, but the plugin does not validate it against an allowlist of accepted values.
Because the injection point is in the ORDER BY clause, exploitation relies on time-based techniques such as SLEEP() or conditional response timing. Attackers can use boolean conditions chained with SLEEP() to extract data character by character. Successful exploitation grants read access to any table accessible to the WordPress database user, including wp_users (password hashes) and wp_usermeta.
Root Cause
The root cause is insufficient escaping of user-supplied input combined with the absence of parameterized queries. The plugin trusts the order value passed through the request and inserts it directly into the SQL statement. WordPress provides wpdb::prepare() for safe query construction, but it does not support binding identifiers such as column names or sort direction, which makes ORDER BY clauses a common SQL injection sink when developers do not validate against a fixed allowlist.
Attack Vector
Exploitation requires an authenticated account with Tutor-level privileges or higher. The attacker sends a crafted HTTP request to the endpoint that invokes get_submitted_assignments() and supplies a malicious order parameter containing time-based payloads. Because Tutor accounts can be self-registered on many learning sites that permit instructor signups, the access barrier is often low.
No verified public exploit code is available. The vulnerability is described in the Wordfence Vulnerability Report.
Detection Methods for CVE-2025-6184
Indicators of Compromise
- HTTP requests to Tutor LMS Pro endpoints containing SQL keywords such as SLEEP, BENCHMARK, IF(, or CASE WHEN in the order parameter
- Web server access logs showing unusually long response times for assignment-related AJAX or REST requests
- Repeated authenticated requests from a single Tutor-level account targeting get_submitted_assignments functionality
- Database query logs showing malformed ORDER BY clauses or unusually high query latency
Detection Strategies
- Enable WordPress query logging or MySQL slow query logging to capture queries with abnormal ORDER BY content
- Deploy a web application firewall rule that inspects the order parameter for SQL metacharacters and time-delay functions
- Audit Tutor LMS Pro request patterns for unusual frequency from single user sessions, indicating automated extraction
Monitoring Recommendations
- Forward WordPress and webserver logs to a centralized SIEM for correlation against authenticated user activity
- Alert on response-time anomalies for plugin endpoints, since time-based SQLi produces measurable delays
- Review newly registered Tutor and Instructor accounts for suspicious activity following the disclosure date
How to Mitigate CVE-2025-6184
Immediate Actions Required
- Update Tutor LMS Pro to a version released after 3.7.0 that addresses CVE-2025-6184
- Audit all Tutor-level and higher accounts and remove any that are inactive or unauthorized
- Temporarily disable Tutor LMS Pro on production sites if patching cannot be performed immediately
- Rotate WordPress administrator passwords and database credentials if compromise is suspected
Patch Information
Review the vendor advisory and update guidance at the Tutor LMS Homepage and the WordPress Tutor Plugin Info page. The Wordfence Vulnerability Report lists the fixed version and remediation details.
Workarounds
- Restrict instructor and Tutor-level signup until the patch is applied, requiring administrator approval for new accounts
- Apply a WAF rule blocking requests where the order parameter contains characters outside of asc or desc
- Limit database user privileges so the WordPress account cannot read sensitive tables outside its required scope
# Example WAF rule (ModSecurity) blocking non-allowlisted order values
SecRule ARGS:order "!@rx ^(asc|desc|ASC|DESC)$" \
"id:1006184,phase:2,deny,status:403,\
msg:'CVE-2025-6184 Tutor LMS Pro SQLi attempt in order parameter'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

