Wordpress SQL Injection (CVE-2025-13673)

Vendor-confirmed - CVE-2025-13673 is a high severity SQL injection in Tutor LMS for WordPress versions 3.0.0 through 3.9.6 that grants an unauthenticated attacker direct access to the plugin’s database to extract user information, course data, and other sensitive records. Update to the latest patched version immediately.

Overview

A significant security vulnerability has been identified in the Tutor LMS plugin for WordPress. This flaw could allow an unauthenticated attacker to perform SQL Injection attacks by manipulating the coupon_code parameter.

Vulnerability Explanation

In simple terms, the plugin did not properly sanitize or prepare the data entered into the coupon code field. This failure creates an opening where an attacker can input malicious code instead of a normal coupon code. Because this input is not safely separated from the database command itself, the attacker’s code can become part of the query that the system runs. This lets them “talk” directly to the website’s database to extract sensitive information stored within it, such as user details, course data, or other confidential records.

Impact

If successfully exploited, this vulnerability can lead to a severe data breach. Attackers could steal sensitive information from the database, including personally identifiable information (PII) of students and instructors, course content, payment-related data, and other administrative records. This compromises user privacy, can lead to financial fraud, and damages the trust and reputation of the educational platform.

Remediation and Mitigation

The most critical action is to update the plugin immediately.

1. Immediate Update: Upgrade the Tutor LMS plugin to the latest available version beyond 3.9.6. This is the only complete solution. WordPress site administrators should navigate to Dashboard > Plugins and apply the update without delay.
2. Verify Version: Confirm your site is running a patched version. Do not rely on the partial mitigations noted in versions 3.9.4 and 3.9.6; a full update is required.
3. Security Best Practices: As a general rule, ensure all WordPress core files, themes, and plugins are kept up to date. Consider using a web application firewall (WAF) to help detect and block common injection attacks.
4. Monitoring: Site owners should review server and security logs for any suspicious activity, particularly unusual database queries originating from the course or checkout pages.

All organizations using Tutor LMS should treat this update with high priority to protect their data and users.