PatchSiren cyber security CVE debrief
CVE-2026-15022 themeum CVE debrief
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via Stored Quiz Answer Array in all versions up to, and including, 4.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This vulnerability allows authenticated attackers with custom-level access and above to append additional SQL queries into existing queries, potentially extracting sensitive information from the database. The vulnerability is a second-order (stored) injection chain, as the payload is stored at quiz-attempt time via the wp_ajax_tutor_quiz_abandon handler, but the injected SQL executes only when a privileged user or Tutor REST API key holder requests the /wp-json/tutor/v1/quiz-attempt-details/{id} endpoint.
- Vendor
- themeum
- Product
- Tutor LMS – eLearning and online course solution
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Authenticated attackers with custom-level access and above can exploit this vulnerability to append additional SQL queries into existing queries, potentially extracting sensitive information from the database. Operators of WordPress installations with the Tutor LMS – eLearning and online course solution plugin should review and update their systems to prevent exploitation.
Technical summary
The payload is stored at quiz-attempt time via the wp_ajax_tutor_quiz_abandon handler, but the injected SQL executes only when a privileged user or Tutor REST API key holder requests the /wp-json/tutor/v1/quiz-attempt-details/{id} endpoint, making this a second-order (stored) injection chain. The vulnerability is caused by insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. The CVE record does not provide specific details about the vulnerability, but it is related to the Tutor LMS – eLearning and online course solution plugin for WordPress.
Defensive priority
Medium priority given the CVSS score of 6.5 and the potential for sensitive information disclosure.
Recommended defensive actions
- Inventory and verify the Tutor LMS eLearning plugin version
- Apply vendor patches or updates to version 4.0.0 or later
- Implement compensating controls such as web application firewalls
- Monitor for suspicious database queries and anomalies
- Restrict access to the /wp-json/tutor/v1/quiz-attempt-details/{id} endpoint
- Review and update access controls for the wp_ajax_tutor_quiz_abandon handler
- Verify the integrity of database queries and parameters
Evidence notes
The CVE record was published on 2026-07-16T09:16:17.440Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record does not provide specific details about the vulnerability, but it is related to the Tutor LMS – eLearning and online course solution plugin for WordPress.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T09:16:17.440Z and has not been modified since then.