CVE-2025-58993: 
WordPress vulnerability analysis and mitigation

An SQL Injection vulnerability (CVE-2025-58993) was discovered in Themeum's Tutor LMS plugin affecting versions through 3.7.4. The vulnerability was reported by YCInfosec and publicly disclosed on September 9, 2025 ([Patchstack](https://patchstack.com/database/wordpress/plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-7-4-sql-injection-vulnerability?s_id=cve)).

The vulnerability is classified as an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') with a CVSS v3.1 base score of 7.6 (High). The attack vector is Network-based (AV:N) with Low attack complexity (AC:L), requiring High privileges (PR:H), and No user interaction (UI:N). The scope is Changed (S:C) with High impact on Confidentiality (C:H), No impact on Integrity (I:N), and Low impact on Availability (A:L) (NVD).

The SQL Injection vulnerability could allow a malicious actor with administrator privileges to directly interact with the database, potentially leading to unauthorized access to sensitive information stored in the database (Patchstack).

The vulnerability has been fixed in Tutor LMS version 3.8.0. Users are advised to update to version 3.8.0 or later to remove the vulnerability. The security issue is considered to have a low severity impact and is unlikely to be exploited (Patchstack).