SQL Injection Vulnerability Patched in Tutor LMS WordPress Plugin

On February 15th, 2024, during the second Wordfence Bug Bounty Extravaganza, a submission was received for an authenticated SQL Injection vulnerability in Tutor LMS, a WordPress plugin with more than 80,000+ active installations. This vulnerability can be leveraged to extract sensitive data from the database, such as password hashes.

Props to Muhammad Hassham Nagori who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $625.00 for this discovery during our Bug Bounty Program Extravaganza.

All Wordfence users are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in SQL Injection protection.

Wordfence contacted Themeum on February 22, 2024, and received a response on February 23, 2024. After providing full disclosure details, the developer released a patch on March 11, 2024. We would like to commend Themeum for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Tutor LMS, which is version 2.6.2, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/03/sql-injection-vulnerability-patched-in-tutor-lms-wordpress-plugin/

Posted in Vulnerability.