PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15022 themeum CVE debrief

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via Stored Quiz Answer Array in all versions up to, and including, 4.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This vulnerability allows authenticated attackers with custom-level access and above to append additional SQL queries into existing queries, potentially extracting sensitive information from the database. The vulnerability is a second-order (stored) injection chain, as the payload is stored at quiz-attempt time via the wp_ajax_tutor_quiz_abandon handler, but the injected SQL executes only when a privileged user or Tutor REST API key holder requests the /wp-json/tutor/v1/quiz-attempt-details/{id} endpoint.

Vendor
themeum
Product
Tutor LMS – eLearning and online course solution
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Authenticated attackers with custom-level access and above can exploit this vulnerability to append additional SQL queries into existing queries, potentially extracting sensitive information from the database. Operators of WordPress installations with the Tutor LMS – eLearning and online course solution plugin should review and update their systems to prevent exploitation.

Technical summary

The payload is stored at quiz-attempt time via the wp_ajax_tutor_quiz_abandon handler, but the injected SQL executes only when a privileged user or Tutor REST API key holder requests the /wp-json/tutor/v1/quiz-attempt-details/{id} endpoint, making this a second-order (stored) injection chain. The vulnerability is caused by insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. The CVE record does not provide specific details about the vulnerability, but it is related to the Tutor LMS – eLearning and online course solution plugin for WordPress.

Defensive priority

Medium priority given the CVSS score of 6.5 and the potential for sensitive information disclosure.

Recommended defensive actions

  • Inventory and verify the Tutor LMS eLearning plugin version
  • Apply vendor patches or updates to version 4.0.0 or later
  • Implement compensating controls such as web application firewalls
  • Monitor for suspicious database queries and anomalies
  • Restrict access to the /wp-json/tutor/v1/quiz-attempt-details/{id} endpoint
  • Review and update access controls for the wp_ajax_tutor_quiz_abandon handler
  • Verify the integrity of database queries and parameters

Evidence notes

The CVE record was published on 2026-07-16T09:16:17.440Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record does not provide specific details about the vulnerability, but it is related to the Tutor LMS – eLearning and online course solution plugin for WordPress.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T09:16:17.440Z and has not been modified since then.