PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-10736 themeum CVE debrief

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 3.9.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This vulnerability allows authenticated attackers with administrator-level access and above to append additional SQL queries into already existing queries, potentially leading to sensitive information extraction from the database. The vulnerability has a CVSS score of 4.9 and a severity rating of MEDIUM. Administrators and users of the Tutor LMS plugin should be aware of this vulnerability and take necessary actions to mitigate it.

Vendor
themeum
Product
Tutor LMS – eLearning and online course solution
CVSS
MEDIUM 4.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-18
Original CVE updated
2026-06-18
Advisory published
2026-06-18
Advisory updated
2026-06-18

Who should care

Administrators and users of the Tutor LMS – eLearning and online course solution plugin for WordPress, especially those with administrator-level access and above, should be aware of this vulnerability and take necessary actions to mitigate it. This includes reviewing the plugin's configuration, monitoring database activity, and implementing additional security controls as needed.

Technical summary

The vulnerability exists in the Tutor LMS plugin due to insufficient escaping on the user-supplied 'data' parameter and lack of sufficient preparation on the existing SQL query. This allows authenticated attackers with administrator-level access and above to append additional SQL queries into already existing queries, potentially leading to sensitive information extraction from the database. The vulnerability has been assigned a CVSS score of 4.9 and a severity rating of MEDIUM. The CVE record was published on 2026-06-18T06:16:56.573Z and was last modified on 2026-06-18T17:16:27.600Z.

Defensive priority

High

Recommended defensive actions

  • Update the Tutor LMS plugin to a version that fixes the SQL injection vulnerability
  • Restrict access to the plugin's administrative interface to trusted users only
  • Monitor database activity for suspicious queries
  • Implement a web application firewall (WAF) to detect and prevent SQL injection attacks
  • Regularly review and update the plugin to ensure it remains secure
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-06-18T06:16:56.573Z and was last modified on 2026-06-18T17:16:27.600Z. The NVD entry is currently Deferred. This information is based on the provided source corpus and may be subject to change as new information becomes available. Defenders should verify the accuracy of this information and review the official CVE record and NVD entry for the latest details.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-18T06:16:56.573Z and has not been modified since then. The NVD entry is currently Deferred.