CVE-2024-10400 Scanner

Tutor LMS is a comprehensive learning management system (LMS) plugin for WordPress that enables the creation and management of online educational courses. It is widely used by educators, institutions, and businesses to deliver structured e-learning experiences. With features like course creation, student management, and quizzes, Tutor LMS has become a popular choice for e-learning platforms.

SQL Injection is a critical vulnerability where attackers exploit unsanitized input fields to execute arbitrary SQL queries on the database. This can lead to unauthorized data extraction, data modification, or database compromise. The vulnerability exists due to improper handling of user-supplied input.

The vulnerability in Tutor LMS affects the `rating_filter` parameter due to insufficient input sanitization and lack of SQL query preparation. Exploitation involves injecting malicious SQL queries into this parameter, allowing attackers to retrieve sensitive information from the WordPress database.

If exploited, this vulnerability could expose sensitive user data, such as email addresses, hashed passwords, and other critical information stored in the database. It may also enable attackers to manipulate the database, leading to data loss or service disruption.

REFERENCES

• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/tutor/tutor-lms-276-unauthenticated-sql-injection-via-rating-filter
• https://nvd.nist.gov/vuln/detail/CVE-2024-10400