CVE-2024-4902
📋 TL;DR
This vulnerability allows authenticated attackers with admin-level access in Tutor LMS WordPress plugin to perform time-based SQL injection attacks via the 'course_id' parameter. Attackers can extract sensitive database information by injecting malicious SQL queries. Only WordPress sites running vulnerable Tutor LMS versions are affected.
💻 Affected Systems
- Tutor LMS – eLearning and online course solution for WordPress
📦 What is this software?
Tutor Lms by Themeum
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including user credentials, payment information, course content, and WordPress configuration data leading to full site takeover.
Likely Case
Extraction of sensitive user data (emails, names), course enrollment records, and potentially WordPress admin credentials.
If Mitigated
Limited impact if proper network segmentation, database permissions, and admin access controls are implemented.
🎯 Exploit Status
Exploitation requires admin credentials but SQL injection is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.7.2 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Tutor LMS and click 'Update Now'. 4. Verify version is 2.7.2 or higher.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable Tutor LMS plugin until patched version is available
wp plugin deactivate tutor
🧯 If You Can't Patch
- Restrict admin access to trusted IP addresses only
- Implement web application firewall with SQL injection rules
🔍 How to Verify
Check if Vulnerable:
Check Tutor LMS plugin version in WordPress admin panel under Plugins → Installed PluginsCheck Version:
wp plugin list --name=tutor --field=versionVerify Fix Applied:
Confirm Tutor LMS version is 2.7.2 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual database query patterns
- Multiple failed login attempts followed by successful admin login
- Long-running SQL queries with time delays
Network Indicators:
- HTTP POST requests to Tutor LMS endpoints with SQL injection patterns in course_id parameter
SIEM Query:
source="web_logs" AND (url="*tutor*" AND (param="*course_id*" AND value="*SLEEP*" OR value="*WAITFOR*" OR value="*BENCHMARK*"))🔗 References
- https://plugins.trac.wordpress.org/browser/tutor/tags/2.7.0/classes/Utils.php#L1936
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3098465%40tutor%2Ftrunk&old=3086489%40tutor%2Ftrunk&sfp_email=&sfph_mail=#file8
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f00e8169-3b8f-44a0-9af2-e81777a913f8?source=cve
- https://plugins.trac.wordpress.org/browser/tutor/tags/2.7.0/classes/Utils.php#L1936
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3098465%40tutor%2Ftrunk&old=3086489%40tutor%2Ftrunk&sfp_email=&sfph_mail=#file8
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f00e8169-3b8f-44a0-9af2-e81777a913f8?source=cve
