Platform
wordpress
Component
tutor
Fixed in
3.9.9
CVE-2026-6080 is a SQL Injection vulnerability affecting the Tutor LMS plugin for WordPress. An authenticated attacker with Admin-level access or higher can exploit this flaw by manipulating the 'date' parameter, potentially appending malicious SQL queries and extracting sensitive information from the database. This vulnerability impacts versions of Tutor LMS up to and including 3.9.8. A patch is available in version 3.9.9.
CVE-2026-6080 in the Tutor LMS plugin for WordPress poses a significant risk to websites utilizing it. Insufficient escaping of the 'date' parameter allows authenticated attackers with Admin-level access or higher to inject malicious SQL code. This could lead to the extraction of sensitive data from the database, including user data, passwords, and other confidential information. The CVSS score of 6.5 indicates a moderate vulnerability, but the potential impact on data confidentiality is considerable. Successful exploitation could compromise the website’s integrity and availability, in addition to the information it contains. Updating the plugin to version 3.9.9 or higher is crucial to mitigate this risk.
An authenticated attacker with administrator or higher privileges on a WordPress website using Tutor LMS could exploit this vulnerability. The attacker could manipulate the 'date' parameter in an HTTP request to inject malicious SQL code. This injected SQL code could be used to extract data from the database, modify existing data, or even execute commands on the server. The required authentication limits the scope of exploitation to users with administrative access, but the potential impact of successful exploitation is significant. The vulnerability lies in how the plugin handles user input 'date' without proper validation or escaping before using it in an SQL query.
Exploit Status
EPSS
0.02% (3% percentile)
CISA SSVC
CVSS Vector
The primary solution to address CVE-2026-6080 is to update the Tutor LMS plugin to version 3.9.9 or later. This update includes the necessary fixes to prevent SQL injection. Additionally, regular security audits of the WordPress website are recommended to identify and correct potential vulnerabilities. Ensuring all plugins and themes are updated to their latest versions is a fundamental security practice. Implementing a Web Application Firewall (WAF) can provide an additional layer of protection by filtering malicious traffic. Finally, restricting database access and using strong passwords for administrator accounts are important preventative measures.
Update to version 3.9.9, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
SQL Injection is a type of attack that allows attackers to insert malicious SQL code into an SQL query, potentially leading to data extraction, modification, or deletion.
If you don't update to version 3.9.9 or higher, your website is vulnerable to sensitive data extraction from the database by authenticated attackers.
While you can't update, limit administrative access and carefully review any data input related to dates.
There are WordPress vulnerability scanners that can detect this vulnerability, although accuracy may vary.
You can find more information about CVE-2026-6080 in vulnerability databases, such as the National Vulnerability Database (NVD).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.