CVE-2026-6080

Name of the Vulnerable Software and Affected Versions Tutor LMS versions prior to 3.9.9

Description The Tutor LMS plugin for WordPress contains a SQL Injection flaw. This occurs because the date parameter is not sufficiently escaped and is directly interpolated into a SQL fragment before being processed by the wpdb->prepare() function. Authenticated attackers with Admin-level access or higher can exploit this to append additional SQL queries and extract sensitive data from the database.

Recommendations Update the plugin to a version newer than 3.9.8. As a temporary workaround, restrict access to the functionality utilizing the date parameter to minimize the risk of exploitation.