CVE-2025-6184: 
WordPress vulnerability analysis and mitigation

The Tutor LMS Pro – eLearning and online course solution plugin for WordPress contains a time-based SQL Injection vulnerability (CVE-2025-6184) in versions up to and including 3.7.0. The vulnerability exists in the 'order' parameter used in the getsubmittedassignments() function due to insufficient escaping of user-supplied parameters and inadequate SQL query preparation (NVD).

The vulnerability is classified as SQL Injection (CWE-89) with a CVSS v3.1 Base Score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The issue allows authenticated attackers with Tutor-level access and above to append additional SQL queries to existing queries, potentially leading to unauthorized data extraction from the database. Only the Pro version of the plugin is affected (NVD).

The vulnerability enables authenticated attackers to extract sensitive information from the database by injecting malicious SQL queries. This could potentially lead to unauthorized access to sensitive data stored within the WordPress database, affecting the confidentiality and integrity of the system (NVD).

Users of Tutor LMS Pro should upgrade to a version newer than 3.7.0 when available. As this is a recently discovered vulnerability, users should monitor the official Tutor LMS website and WordPress plugin repository for security updates (Tutor LMS, WordPress Plugin).