Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-10736

CVE-2026-10736: Tutor LMS WordPress Plugin SQLi Vulnerability

CVE-2026-10736 is a SQL injection vulnerability in the Tutor LMS plugin for WordPress that allows admin-level attackers to extract sensitive database information. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-10736 Overview

CVE-2026-10736 is a SQL injection vulnerability in the Tutor LMS – eLearning and Online Course Solution plugin for WordPress. The flaw affects all versions up to and including 3.9.11 and stems from insufficient escaping on the user-supplied data parameter combined with inadequate query preparation. Authenticated attackers with administrator-level access can append additional SQL queries to existing statements and extract sensitive data from the WordPress database. The issue is tracked as [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command) and was patched in version 3.9.12.

Critical Impact

Authenticated administrators can execute arbitrary SQL queries against the WordPress database, exposing user credentials, session tokens, and other stored data.

Affected Products

  • Tutor LMS – eLearning and Online Course Solution plugin for WordPress, all versions up to and including 3.9.11
  • Tutor LMS version 3.9.8 (confirmed in vendor source references)
  • WordPress installations using the vulnerable Tutor LMS plugin

Discovery Timeline

  • 2026-06-18 - CVE-2026-10736 published to NVD
  • 2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-10736

Vulnerability Analysis

The vulnerability resides in the Tutor LMS plugin's withdrawal request handling logic. The data parameter received through the plugin's input layer flows into SQL statements constructed within the WithdrawModel class without sufficient sanitization or parameterized query preparation. Because the parameter value is concatenated into the existing query string, an authenticated attacker can break out of the intended query context and append arbitrary SQL statements.

Exploitation requires administrator-level privileges, which limits the attacker population but enables information disclosure across the entire database. The vulnerability impacts confidentiality only — integrity and availability remain unaffected, since the injection path supports query appending suitable for data extraction rather than write operations.

Root Cause

The root cause is improper input neutralization in the plugin's Input.php class and the absence of prepared statements in WithdrawModel.php at the points where the data parameter is consumed. See the WordPress Tutor Input Class and the WordPress Tutor Withdraw Model for the unsanitized data path.

Attack Vector

The attack is network-based and requires authentication as an administrator. An attacker submits crafted input to the withdraw requests endpoint, where the data parameter is incorporated into a SQL query. By appending payloads such as UNION SELECT clauses, the attacker reads arbitrary rows from the WordPress database including the wp_users table. Refer to the WordPress Tutor Withdraw Requests Page for the entry point.

No verified public proof-of-concept code is available. The vulnerability mechanism is documented in the Wordfence Vulnerability Report.

Detection Methods for CVE-2026-10736

Indicators of Compromise

  • Requests to Tutor LMS withdraw request endpoints containing SQL meta-characters such as ', --, UNION, or SELECT in the data parameter
  • Anomalous database queries originating from the Tutor LMS plugin context referencing tables outside the plugin schema (e.g., wp_users, wp_usermeta)
  • Administrator account activity that includes withdraw request page access followed by unusual data exports

Detection Strategies

  • Inspect WordPress and web server access logs for POST or GET requests to Tutor LMS withdraw endpoints with encoded SQL syntax in the data parameter
  • Enable MySQL general query logging or slow query logging temporarily to identify malformed or unexpected UNION-based queries
  • Deploy a web application firewall (WAF) ruleset configured to flag SQL injection patterns targeting WordPress plugin endpoints

Monitoring Recommendations

  • Audit Tutor LMS plugin version inventory across all WordPress installations and flag any instance at or below 3.9.11
  • Monitor administrator account logins for unusual source IPs or off-hours activity, since exploitation requires elevated privileges
  • Track changes to file models/WithdrawModel.php and validate it matches the patched 3.9.12 baseline

How to Mitigate CVE-2026-10736

Immediate Actions Required

  • Update the Tutor LMS plugin to version 3.9.12 or later on all WordPress installations
  • Review administrator account inventory and remove unused or stale privileged accounts
  • Rotate credentials for WordPress administrators if exploitation is suspected, and reset secret keys defined in wp-config.php
  • Audit the WordPress database for unauthorized read access by reviewing application and database logs

Patch Information

The vendor released a fix in Tutor LMS version 3.9.12. The remediation introduces proper query preparation in the withdraw model. Review the patch commit at the WordPress Tutor Withdraw Model Changeset to confirm deployment.

Workarounds

  • Restrict administrator access using IP allowlisting at the web server or WAF layer until the patch is applied
  • Disable the Tutor LMS plugin temporarily if administrative withdraw request functionality is not required
  • Apply WAF signatures that block SQL injection payloads in requests targeting the data parameter on Tutor LMS endpoints
bash
# Update Tutor LMS via WP-CLI to the patched version
wp plugin update tutor --version=3.9.12

# Verify installed version
wp plugin get tutor --field=version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.