CVE-2023-25700: 
WordPress vulnerability analysis and mitigation

An SQL Injection vulnerability was discovered in Themeum's Tutor LMS WordPress plugin, identified as CVE-2023-25700. The vulnerability affects versions up to and including 2.1.10 of the Tutor LMS plugin. This security flaw was discovered by Rafie Muhammad and was publicly disclosed on May 30, 2023. The vulnerability allows unauthenticated attackers to perform SQL injection attacks against affected WordPress installations (Patchstack).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries in the Tutor LMS plugin. This security flaw has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its severe nature. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) (NVD, WPScan).

The SQL injection vulnerability allows unauthenticated attackers to append additional SQL queries to existing ones, potentially enabling them to extract sensitive information from the database. Given the CVSS score of 9.8, this vulnerability is considered highly dangerous and is expected to become mass exploited. The impact could include unauthorized access to sensitive data, manipulation of database contents, and potential compromise of the WordPress installation (Patchstack).

The vulnerability has been patched in version 2.2.0 of the Tutor LMS plugin. Site administrators are strongly advised to update to this version or later immediately. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until the update can be applied (Patchstack).