What is CVE-2025-13673?

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient...

How severe is CVE-2025-13673?

CVE-2025-13673 is rated high severity with a CVSS score of 7.5 out of 10.

What products are affected by CVE-2025-13673?

CVE-2025-13673 affects WordPress. Check vendor advisories for specific affected versions.

How do I fix CVE-2025-13673?

Apply the latest security patches from the vendor. If patching is not immediately possible, review the mitigation steps in this advisory and monitor for exploitation attempts.

Wordpress SQL Injection (CVE-2025-13673)

Overview

A significant security vulnerability has been identified in the Tutor LMS plugin for WordPress. This flaw could allow an unauthenticated attacker to perform SQL Injection attacks by manipulating the coupon_code parameter.

Vulnerability Explanation

In simple terms, the plugin did not properly sanitize or prepare the data entered into the coupon code field. This failure creates an opening where an attacker can input malicious code instead of a normal coupon code. Because this input is not safely separated from the database command itself, the attacker’s code can become part of the query that the system runs. This lets them “talk” directly to the website’s database to extract sensitive information stored within it, such as user details, course data, or other confidential records.

Impact

If successfully exploited, this vulnerability can lead to a severe data breach. Attackers could steal sensitive information from the database, including personally identifiable information (PII) of students and instructors, course content, payment-related data, and other administrative records. This compromises user privacy, can lead to financial fraud, and damages the trust and reputation of the educational platform.

Remediation and Mitigation

The most critical action is to update the plugin immediately.

Immediate Update: Upgrade the Tutor LMS plugin to the latest available version beyond 3.9.6. This is the only complete solution. WordPress site administrators should navigate to Dashboard > Plugins and apply the update without delay.
Verify Version: Confirm your site is running a patched version. Do not rely on the partial mitigations noted in versions 3.9.4 and 3.9.6; a full update is required.
Security Best Practices: As a general rule, ensure all WordPress core files, themes, and plugins are kept up to date. Consider using a web application firewall (WAF) to help detect and block common injection attacks.
Monitoring: Site owners should review server and security logs for any suspicious activity, particularly unusual database queries originating from the course or checkout pages.

All organizations using Tutor LMS should treat this update with high priority to protect their data and users.

Wordpress SQL Injection (CVE-2025-13673)

Overview

Vulnerability Explanation

Impact

Remediation and Mitigation

Never miss a critical vulnerability

Related Advisories

Other WordPress Vulnerabilities

Overview

Vulnerability Explanation

Impact

Remediation and Mitigation

Never miss a critical vulnerability

Related Advisories

Other WordPress Vulnerabilities

Never Miss a Critical Alert