Attack Vectors

Tutor LMS – eLearning and online course solution (WordPress plugin slug: tutor) is affected by a High-severity vulnerability (CVSS 7.5) tracked as CVE-2025-13673. The issue is an unauthenticated SQL injection that can be triggered via the coupon_code parameter.

Because this is network-accessible and requires no login (PR:N) and no user interaction (UI:N), attackers can probe and attempt exploitation remotely—often via automated scanning—targeting sites running Tutor LMS versions up to and including 3.9.6.

Security Weakness

The vulnerability stems from insufficient escaping of user-supplied input and lack of sufficient preparation of the SQL query involving the coupon_code parameter. This weakness can allow an attacker to append SQL to existing queries.

It is also important for risk owners to note that the issue was partially mitigated in versions 3.9.4 and 3.9.6, but it is still reported as vulnerable through 3.9.6. The recommended remediation is to update to 3.9.7 or newer (patched versions).

Technical or Business Impacts

The primary impact called out for this vulnerability is confidentiality exposure (C:H in the CVSS vector). In practical terms, SQL injection can enable attackers to extract sensitive information from the WordPress database. For organizations using Tutor LMS to run revenue-generating training, partner portals, or customer education, this can elevate into a material business risk.

Potential business impacts include:

Data exposure and compliance risk: Depending on what is stored in your database, unauthorized access to records can trigger privacy obligations, contractual notifications, or regulatory scrutiny.

Brand and revenue impact: If customers, students, or partners lose trust in the security of your learning environment, you may see reduced course sales, higher churn, and increased support burden.

Incident response costs: Even if the attacker “only” reads data, investigation, legal review, and containment efforts can be expensive and disruptive—especially for marketing, sales ops, and compliance teams working against deadlines.

Similar Attacks

SQL injection has been a recurring root cause in major incidents, demonstrating how a single injection point can escalate into significant business damage. Examples include:

Heartland Payment Systems breach (2008) — widely reported as involving SQL injection and resulting in large-scale payment card data theft.

TalkTalk cyber attack (2015) — reported to involve SQL injection and led to exposure of customer data and substantial business fallout.

OWASP: SQL Injection — an industry reference on how SQL injection works and why it remains a high-impact risk for online platforms.