[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fnAWRaJPSbxg2qcMeqEC0wY-UwTamrIix6HEpfwFNVBA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-6080","tutor-lms-authenticated-admin-sql-injection-via-date-parameter","Tutor LMS \u003C= 3.9.8 - Authenticated (Admin+) SQL Injection via 'date' Parameter","The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb->prepare(). This makes it possible for authenticated attackers with Admin-level access and above to append additional SQL queries and extract sensitive information from the database.","tutor",null,"\u003C=3.9.8","3.9.9","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-04-16 15:15:35","2026-04-17 03:36:44",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6dd041ff-a0a3-4d1f-83e0-6ec2a978e9cf?source=api-prod",1,[22,23,24,25,26,27],"assets\u002Fcss\u002Ftutor-admin.min.css","assets\u002Fjs\u002Ftutor-admin.js","assets\u002Fjs\u002Ftutor-coupon.js","assets\u002Fjs\u002Ftutor-course-builder.js","assets\u002Fjs\u002Ftutor-front.js","assets\u002Fjs\u002Ftutor-setup.js","researched",false,3,"This research plan outlines the steps to identify and exploit the SQL Injection vulnerability in Tutor LMS (CVE-2026-6080).\n\n### 1. Vulnerability Summary\nThe Tutor LMS plugin is vulnerable to an authenticated SQL injection via the `date` parameter in versions up to 3.9.8. The vulnerability arises because user-supplied input from the `date` parameter is directly interpolated into a SQL fragment (likely a `WHERE` or `AND` clause) *before* that fragment is passed into `$wpdb->prepare()`. Because `prepare()` does not retroactively sanitize variables already concatenated into the query string, an attacker can break out of the intended SQL logic and execute arbitrary queries.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php` (Primary) or specific Admin Dashboard pages.\n*   **Action:** Likely an AJAX action associated with Reports, Analytics, or Sales (e.g., `tutor_get_report_data` or `tutor_report_sales_data`).\n*   **Vulnerable Parameter:** `date` (or potentially `start_date`\u002F`end_date` depending on the specific report).\n*   **Authentication:** Requires **Admin** level privileges (capability `manage_options` or `tutor_manage_reports`).\n*   **Payload Type:** Time-based blind SQL Injection or Error-based (if `WP_DEBUG` is enabled).\n\n### 3. Code Flow (Inferred)\n1.  An Administrator accesses the Tutor LMS Reports menu.\n2.  The UI (React\u002FVue based in 3.x) sends an AJAX request to `admin-ajax.php`.\n3.  The PHP handler (e.g., `Tutor\\Reports\\Analytics::get_report`) retrieves the `date` parameter: `$date = $_POST['date'];`.\n4.  The code constructs a SQL fragment: `$date_query = \" AND post_date = '$date'\";`.\n5.  The fragment is appended to a larger query: `$query = \"SELECT ... WHERE 1=1 \" . $date_query;`.\n6.  The result is passed to `prepare()`: `$wpdb->get_results( $wpdb->prepare( $query, $other_params ) );`.\n7.  Since `$date` was already inside `$query`, `prepare()` treats it as part of the SQL structure rather than a placeholder.\n\n### 4. Nonce Acquisition Strategy\nTutor LMS heavily uses nonces for admin AJAX actions. You must obtain the correct nonce for the `tutor_admin` context.\n\n1.  **Identify Shortcode\u002FPage:** Navigate to the Tutor LMS Reports page: `\u002Fwp-admin\u002Fadmin.php?page=tutor-reports`.\n2.  **Extract Nonce:** The plugin localizes its settings into a global JavaScript object. Use the `browser_eval` tool to find it.\n3.  **Variable Name:** Usually `_tutorobject` or `tutor_admin`.\n4.  **Action:** In `assets\u002Fjs\u002Ftutor-front.js`, the code references `_tutorobject.ajaxurl`.\n5.  **Target Nonce Path:** `window._tutorobject?.nonce` or `window.tutor_admin?.nonce`.\n\n### 5. Exploitation Strategy\nWe will use a time-based blind injection to confirm the vulnerability.\n\n**Step 1: Admin Authentication**\nLogin to the WordPress instance as an administrator.\n\n**Step 2: Find the Vulnerable Action**\nSearch the plugin directory for the usage of the `date` parameter in SQL queries:\n`grep -rn \"\\$_POST\\['date'\\]\" .` or `grep -rn \"['\\\"]date['\\\"]\" . | grep \"wpdb\"`\n\n**Step 3: Construct Payload**\nAssume the action is `tutor_get_report_data`.\nThe payload for the `date` parameter will be:\n`2024-01-01' AND (SELECT 1 FROM (SELECT(SLEEP(10)))a) AND '1'='1`\n\n**Step 4: Execute HTTP Request**\nUse the `http_request` tool:\n*   **Method:** `POST`\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=tutor_get_report_data&nonce=[EXTRACTED_NONCE]&date=2024-01-01' AND (SELECT 1 FROM (SELECT(SLEEP(10)))a) AND '1'='1\n    ```\n\n### 6. Test Data Setup\n1.  **Install Tutor LMS 3.9.8.**\n2.  **Activate Plugin.**\n3.  **Generate Sample Data:** Create at least one Course and one Order\u002FSale so that the Report query returns results and reaches the vulnerable code block.\n4.  **Create Admin User:** Ensure you have the credentials for a user with the `administrator` role.\n\n### 7. Expected Results\n*   **Baseline Request:** A normal request with `date=2024-01-01` should return in \u003C 1 second.\n*   **Attack Request:** The request with the `SLEEP(10)` payload should take approximately 10 seconds to respond.\n*   **Response Content:** The response may be a JSON object (`{\"success\":true, ...}`) or a report table, but the timing delay is the indicator of success.\n\n### 8. Verification Steps (Post-Exploit)\nConfirm the vulnerability via `wp-cli`:\n1.  Identify the PHP file containing the query (e.g., `classes\u002FReports.php`).\n2.  Verify if the `date` variable is being escaped using `esc_sql()` or if it is indeed interpolated directly before `prepare()`.\n3.  `wp db query \"SELECT ...\"`: Run a similar query manually to see if the structure matches the injection point.\n\n### 9. Alternative Approaches\nIf the `date` parameter is not the direct key, look for:\n*   `start_date` \u002F `end_date` in the same report handlers.\n*   `period` parameter if it's used to dynamically build date fragments.\n*   Check for **Error-based SQLi** by sending a single quote `'` and checking the response for SQL syntax errors (only works if `WP_DEBUG` is on or plugin logs are visible).\n*   Check the `tutor_report_sales_data` action specifically, as it is a common target for analytics-based SQLi.","Tutor LMS is vulnerable to SQL Injection via the 'date' parameter used in reporting AJAX actions. This occurs because the plugin concatenates unsanitized user input into a SQL string before passing it to $wpdb->prepare(), allowing authenticated administrators to execute arbitrary database queries.","\u002F\u002F Inferred from vulnerability description and research plan\n\u002F\u002F Likely located in a PHP handler for reports\u002Fanalytics AJAX actions\n\n$date = $_POST['date'];\n$date_query = \" AND post_date = '$date'\"; \n$query = \"SELECT count(*) FROM {$wpdb->prefix}posts WHERE post_type = 'tutor_enrolled' \" . $date_query;\n\n\u002F\u002F prepare() is called on the already-interpolated string, rendering it ineffective\n$results = $wpdb->get_results( $wpdb->prepare( $query ) );","--- a\u002Fclasses\u002FReports\u002FAnalytics.php\n+++ b\u002Fclasses\u002FReports\u002FAnalytics.php\n@@ -10,7 +10,6 @@\n \n- $date = $_POST['date'];\n- $date_query = \" AND post_date = '$date'\";\n- $query = \"SELECT count(*) FROM {$wpdb->prefix}posts WHERE post_type = 'tutor_enrolled' \" . $date_query;\n- $results = $wpdb->get_results( $wpdb->prepare( $query ) );\n+\n+ $date = sanitize_text_field( $_POST['date'] );\n+ $query = $wpdb->prepare( \n+     \"SELECT count(*) FROM {$wpdb->prefix}posts WHERE post_type = 'tutor_enrolled' AND post_date = %s\", \n+     $date \n+ );\n+ $results = $wpdb->get_results( $query );","The exploit targets report-related AJAX endpoints accessible to administrators. An attacker first authenticates as an admin and extracts the required AJAX nonce from the `_tutorobject` global JavaScript variable found on the Tutor LMS reports dashboard. The attacker then sends a POST request to `wp-admin\u002Fadmin-ajax.php` with a reporting action (e.g., `tutor_get_report_data`). The `date` parameter is populated with a time-based blind SQL injection payload, such as `2024-01-01' AND (SELECT 1 FROM (SELECT(SLEEP(10)))a) AND '1'='1`. If vulnerable, the server's response will be delayed by the duration of the sleep command, confirming the ability to execute arbitrary SQL.","gemini-3-flash-preview","2026-04-20 20:20:18","2026-04-20 20:21:09",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","3.9.8","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftutor\u002Ftags\u002F3.9.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftutor.3.9.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftutor\u002Ftags\u002F3.9.9","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftutor.3.9.9.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Ftutor\u002Ftags"]