External risk intelligence

Tutor LMS Pro SQL Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-22332

An unauthenticated SQL injection vulnerability in Tutor LMS Pro could allow attackers to access or modify sensitive database information. This poses a risk to data confidentiality and integrity. It is important to determine if this plugin is in use and assess its exposure.

SQL Injection

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

This vulnerability affects a WordPress plugin, which are commonly used in web applications that are intentionally deployed to be public-facing to serve content and functionality to internet users.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists in a popular WordPress plugin, allowing unauthenticated attackers to execute SQL injection attacks. This means malicious actors could potentially access or manipulate sensitive database information without needing any login credentials. The primary concern is confirming if this plugin is in use and assessing any potential exposure.

  • Unauthenticated attackers can inject malicious SQL code.
  • Understand impact on data integrity and confidentiality.
  • Confirm plugin usage and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted requests over the internet to a web application using the affected plugin. This exposure allows an unauthenticated attacker to directly interact with a vulnerable component, potentially leading to unauthorized access to sensitive database information.

  • No authentication required.
  • Triggered by unauthenticated network requests.
  • Risk of unauthorized database access.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to inject malicious SQL code into a web application using Tutor LMS Pro. When exploited, this could lead to unauthorized access to or modification of sensitive data stored in the application's database, or potentially disrupt the service.

  • Database data could be exposed.
  • Via specially crafted network requests.
  • Service disruption or data compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

This unauthenticated SQL injection vulnerability in Tutor LMS Pro impacts external-facing web applications. The primary responsibility for addressing this issue likely falls on the application owners or platform teams managing WordPress sites. The first practical step is to identify all instances of the affected plugin, confirm their exposure and criticality, and then coordinate remediation efforts.

  • Application owners should own the issue.
  • Verify external reachability and business criticality.
  • Plan remediation during the next maintenance window.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-22332 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows unauthenticated attackers to extract sensitive database information, posing a significant risk to cardholder data and thus requiring a PCI scan.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Tutor LMS Pro?

Tutor LMS Pro is a WordPress plugin designed to help users build and manage online learning platforms. It provides features like course creation, quizzes, and student management systems. Because it is a plugin for WordPress, it is frequently used to power educational websites that must remain accessible to students and instructors over the internet.

What does SQL injection mean for CVE-2026-22332?

This vulnerability falls under the CWE-89 weakness class, which refers to improper neutralization of special elements used in an SQL command. In simple terms, the software fails to properly filter user input before sending it to the database. This allows an attacker to insert their own database queries, potentially tricking the application into revealing private information it was never intended to share.

How does an attacker trigger this vulnerability?

An attacker triggers this flaw by sending specially crafted network requests to the web application. Because the vulnerability is unauthenticated, the attacker does not need a user account, password, or any prior access to the site to initiate these requests. It is important to note that typical, legitimate interactions with course materials by students or teachers do not trigger this malicious behavior.

Is my website at risk for CVE-2026-22332?

Your risk level depends heavily on your network setup. According to Halo Surface Signal, this vulnerability is classified as external because it impacts WordPress plugins, which are commonly deployed to be public-facing. If your site uses an affected version of Tutor LMS Pro and is reachable from the internet, you should consider it a high-priority item for investigation.

What should I do first to address this?

The immediate priority is to verify whether your environment is running an affected version of the plugin. Start by creating an inventory of your web assets to confirm which sites have Tutor LMS Pro installed. Once identified, evaluate the criticality of those specific sites and coordinate with your technical team to plan for updates or security patches during your next available maintenance window.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished