CVE-2024-1751

Name of the Vulnerable Software and Affected Versions Tutor LMS versions up to, and including, 2.6.1

Description The issue is related to a SQL Injection vulnerability due to insufficient protection of the SQL query structure when handling the question id parameter. This allows a remote attacker to execute arbitrary SQL queries and gain unauthorized access to protected information. The vulnerability can be exploited by authenticated attackers with subscriber or student access, or higher, to extract sensitive information from the database. It is estimated that over 80,000 WordPress sites are potentially affected.

Recommendations For versions up to, and including, 2.6.1, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to the question id parameter in the affected API endpoint until a patch is available. Restrict access to the database to minimize the risk of exploitation.