PatchSiren cyber security CVE debrief
CVE-2026-22332 Themeum CVE debrief
CVE-2026-22332 is a critical vulnerability in Tutor LMS Pro, a popular WordPress plugin. The vulnerability, which has a CVSS score of 9.3, allows unauthenticated attackers to inject malicious SQL code. This could lead to unauthorized access to sensitive data, modification of database contents, and potentially, elevation of privileges. The vulnerability was published on June 17, 2026, and immediately gained attention due to its severity and potential impact. Users of Tutor LMS Pro versions <= 3.9.6 are highly advised to take immediate action to mitigate this vulnerability. The vendor, although not explicitly identified, has likely released patches or mitigation strategies to address this issue. This vulnerability highlights the importance of keeping software and plugins up-to-date, especially in widely-used platforms like WordPress.
- Vendor
- Themeum
- Product
- Tutor LMS Pro
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-17
Who should care
Administrators and users of Tutor LMS Pro versions <= 3.9.6, WordPress site owners using this plugin, and security teams responsible for monitoring and patching vulnerabilities in their environments should be aware of this critical vulnerability.
Technical summary
CVE-2026-22332 is an unauthenticated SQL injection vulnerability in Tutor LMS Pro. The vulnerability exists in versions <= 3.9.6 and is characterized by a CVSS:3.1 vector of AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L. This means the vulnerability can be exploited over the network, requires no authentication, and can result in high impact on confidentiality. The CWE-89 weakness classification indicates that the vulnerability involves improper neutralization of special elements used in an SQL command.
Defensive priority
high
Recommended defensive actions
- Immediately update Tutor LMS Pro to a version that addresses this vulnerability (if available).
- Restrict access to the plugin's functionality to only authenticated and authorized users.
- Implement a Web Application Firewall (WAF) to detect and prevent SQL injection attempts.
- Regularly monitor your WordPress site for suspicious activity and ensure all plugins and themes are up-to-date.
- Consider temporarily disabling the plugin if an update is not immediately available.
- Review database permissions and ensure that the database user account used by the plugin has the least privileges necessary.
- Apply general security best practices for WordPress installations, including keeping core, themes, and plugins updated.
Evidence notes
The information provided is based on data from official sources, including CVE.org and the National Vulnerability Database (NVD). The CVE record and NVD details confirm the existence and severity of the vulnerability. Additional information from Patchstack regarding the vulnerability in Tutor LMS Pro <= 3.9.6 versions is also considered.
Official resources
-
CVE-2026-22332 CVE record
CVE.org
-
CVE-2026-22332 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
public