CVE-2024-1751
📋 TL;DR
This vulnerability allows authenticated attackers with subscriber/student access or higher to perform time-based SQL injection attacks via the question_id parameter in Tutor LMS WordPress plugin. Attackers can extract sensitive information from the database by injecting malicious SQL queries. All WordPress sites using Tutor LMS up to version 2.6.1 are affected.
💻 Affected Systems
- Tutor LMS – eLearning and online course solution plugin for WordPress
📦 What is this software?
Tutor Lms by Themeum
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including extraction of user credentials, personal data, payment information, and potential privilege escalation to administrative access.
Likely Case
Extraction of sensitive user data (emails, names, course progress), potential exposure of WordPress configuration details, and possible data exfiltration.
If Mitigated
Limited impact with proper input validation and parameterized queries preventing successful injection attempts.
🎯 Exploit Status
Time-based SQL injection requires authenticated access but exploitation techniques are well-documented and tools are readily available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3049105%40tutor&new=3049105%40tutor
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Tutor LMS plugin
4. Click 'Update Now' if available
5. Alternatively, download version 2.6.2+ from WordPress repository and manually update
🔧 Temporary Workarounds
Temporary Input Validation
allAdd custom validation to sanitize question_id parameter before processing
Add to theme's functions.php or custom plugin:
add_filter('tutor_question_id_validation', function($question_id) {
return is_numeric($question_id) ? intval($question_id) : 0;
});
Access Restriction
linuxTemporarily restrict access to affected Tutor LMS endpoints
Add to .htaccess (Apache) or nginx.conf:
# Block access to vulnerable endpoint
RewriteRule ^wp-content/plugins/tutor/.*utils\.php$ - [F,L]
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block SQL injection patterns targeting question_id parameter
- Restrict user registration and implement strong authentication controls to limit potential attackers
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Tutor LMS → Version number. If version is 2.6.1 or lower, system is vulnerable.Check Version:
wp plugin list --name=tutor --field=version (if WP-CLI installed) or check WordPress admin plugins pageVerify Fix Applied:
After updating, verify version is 2.6.2 or higher in WordPress admin panel and test question functionality works normally.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by SQL-like patterns in access logs
- Long response times on Tutor LMS question endpoints
Network Indicators:
- Unusual outbound database connections from web server
- SQL injection patterns in HTTP requests to /wp-content/plugins/tutor/
SIEM Query:
source="web_access_logs" AND uri="/wp-content/plugins/tutor/" AND (request LIKE "%question_id%" AND (request LIKE "%SLEEP(%" OR request LIKE "%BENCHMARK(%" OR request LIKE "%WAITFOR%"))🔗 References
- https://plugins.trac.wordpress.org/browser/tutor/tags/2.6.1/classes/Utils.php#L4555
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3049105%40tutor&new=3049105%40tutor&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f9cee379-79f8-4a60-b1bb-ccab1e954512?source=cve
- https://plugins.trac.wordpress.org/browser/tutor/tags/2.6.1/classes/Utils.php#L4555
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3049105%40tutor&new=3049105%40tutor&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f9cee379-79f8-4a60-b1bb-ccab1e954512?source=cve
