CVE-2026-15022 in Tutor LMS Plugin
Summary
by MITRE • 07/16/2026
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via Stored Quiz Answer Array in all versions up to, and including, 4.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The payload is stored at quiz-attempt time via the wp_ajax_tutor_quiz_abandon handler, but the injected SQL executes only when a privileged user or Tutor REST API key holder requests the /wp-json/tutor/v1/quiz-attempt-details/{id} endpoint, making this a second-order (stored) injection chain.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/16/2026
This vulnerability affects the Tutor LMS plugin for WordPress, specifically versions up to and including 400, presenting a critical security flaw that enables authenticated attackers with custom-level privileges or higher to execute malicious SQL injection attacks. The vulnerability stems from inadequate input sanitization within the quiz answer handling mechanism, where user-supplied data is not properly escaped before being incorporated into database queries. The flaw exists in the stored quiz answer array functionality, creating a persistent injection vector that allows attackers to manipulate database operations through carefully crafted inputs.
The technical implementation of this vulnerability follows a second-order injection pattern, meaning the malicious payload is initially stored in the database during quiz attempt processing through the wp_ajax_tutor_quiz_abandon handler. This stored data remains dormant until a privileged user or API key holder accesses the quiz attempt details via the REST API endpoint /wp-json/tutor/v1/quiz-attempt-details/{id}. The timing of execution creates a sophisticated attack chain where the initial compromise occurs during quiz submission, but the actual exploitation happens later when authorized personnel access the stored data through legitimate administrative interfaces.
The impact of this vulnerability extends beyond simple data exfiltration, as authenticated attackers can leverage this weakness to extract sensitive information from the underlying database. This includes user credentials, personal information, course materials, and potentially system configuration details that could facilitate further attacks within the WordPress environment. The vulnerability affects not only the core functionality of the eLearning platform but also compromises the integrity and confidentiality of the entire educational management system.
From a cybersecurity framework perspective, this vulnerability maps directly to CWE-89 SQL Injection and CWE-20 Improper Input Validation, demonstrating how insufficient data sanitization combined with improper query preparation creates exploitable conditions. The attack vector aligns with ATT&CK technique T1078 Valid Accounts, as it requires authentication privileges but can be leveraged by attackers who have gained access to custom-level user accounts or have obtained valid API credentials. The stored nature of the injection also reflects ATT&CK technique T1531 Account Access Removal, as compromised systems may be used to maintain persistent access through manipulated database entries.
Organizations using Tutor LMS plugin versions 400 and below must implement immediate mitigation strategies including updating to patched versions, implementing proper input validation on all user-supplied data, and employing prepared statements for all database queries. Additionally, privileged account monitoring should be enhanced to detect anomalous API access patterns, while regular security audits should verify that no malicious payloads have been successfully injected into the system. The vulnerability highlights the importance of comprehensive security testing throughout the software development lifecycle, particularly in plugins handling user-generated content within WordPress environments where multiple privilege levels exist and interact with database operations.