Security Alert Summary
The Tutor LMS 6 eLearning and online course solution plugin for WordPress contains a SQL injection vulnerability in the coupon_code parameter that affects all versions up to and including 3.9.6. The issue allows unauthenticated attackers to inject additional SQL into existing queries and potentially extract sensitive information from the database. The vulnerability was partially mitigated in versions 3.9.4 and 3.9.6, according to the CVE entry.
CVE Details
- CVE ID: CVE-2025-13673
- Affected component: Tutor LMS 6 eLearning and online course solution plugin for WordPress
- Affected versions: All versions up to and including 3.9.6
- Published: February 28, 2026 8:15:58 AM UTC
- Last modified: February 28, 2026 8:15:58 AM UTC
- CVSS v3.1: Base Score 7.5, Severity: HIGH, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Authentication / Privileges / User Interaction: Authentication: Not required; Privileges required: None; User interaction: None
- Primary impact: Confidentiality: High; Integrity: None; Availability: None
- CWE / Weakness: CWE-89 (SQL Injection)
Technical Details
The vulnerability is a SQL injection in the handling of the coupon_code parameter. According to the CVE description, insufficient escaping of user-supplied input and a lack of proper preparation of the existing SQL query permit unauthenticated attackers to append additional SQL queries to queries that are already being executed. This can be used to extract sensitive information from the database.
The CVE entry notes that the issue was partially mitigated in versions 3.9.4 and 3.9.6, but does not specify a fully fixed version or additional remediation details.
How This Could Impact Your Website
In a typical site environment, a site owner manages the primary account, internal staff such as course authors and editors manage content, and external contractors or contributors may interact with course data. An unauthenticated SQL injection that exposes database content could allow an attacker to retrieve user data stored by the plugin or site (for example, user email addresses or other profile fields).
Practical consequences include disclosure of internal user contact information that can increase the risk of targeted phishing or social engineering attacks against staff or contributors. The vulnerability, as described, focuses on data disclosure rather than direct modification or availability impact.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (No fixed version is specified in the CVE entry.)
- Review and reduce unnecessary user roles and permissions, especially for contributor and editor accounts.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from the site.
- Monitor site activity and logs for unusual database queries or access patterns that could indicate exploitation attempts.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
