The Tutor LMS plugin for WordPress, widely used for managing eLearning and online courses, suffers from a critical SQL Injection vulnerability identified as CVE-2025-13673. The flaw exists in the handling of the 'coupon_code' parameter, which is insufficiently escaped and improperly prepared in SQL queries. This improper neutralization of special elements (CWE-89) allows unauthenticated attackers to append arbitrary SQL commands to existing queries. Exploiting this vulnerability can lead to unauthorized disclosure of sensitive information stored in the backend database, such as user data, course details, or payment information. The vulnerability affects all versions up to and including 3.9.6, with partial mitigations introduced in versions 3.9.4 and 3.9.6 that do not fully resolve the issue. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates network exploitable, low attack complexity, no privileges or user interaction required, and high confidentiality impact without affecting integrity or availability. No public exploits have been reported yet, but the vulnerability's nature and ease of exploitation make it a significant risk for organizations relying on Tutor LMS for online education.

The primary impact of this vulnerability is the potential unauthorized disclosure of sensitive information from the Tutor LMS database. Attackers can extract confidential data such as user credentials, personal information, course content, and possibly financial records. This can lead to privacy violations, regulatory non-compliance (e.g., GDPR), reputational damage, and potential financial losses. Since the vulnerability does not affect data integrity or availability, it does not directly enable data modification or service disruption. However, the ease of exploitation without authentication or user interaction increases the risk of widespread attacks, especially on publicly accessible LMS instances. Organizations worldwide using Tutor LMS are at risk of data breaches, which can undermine trust in their eLearning platforms and expose them to legal liabilities.

1. Immediate upgrade to a patched version of Tutor LMS once available, as no official patch links are currently provided. 2. Until patches are released, implement web application firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the 'coupon_code' parameter. 3. Employ input validation and sanitization on the 'coupon_code' parameter at the application level to reject unexpected characters or patterns. 4. Restrict database user permissions to the minimum necessary to limit data exposure in case of exploitation. 5. Monitor logs for unusual database query patterns or repeated failed attempts involving the 'coupon_code' parameter. 6. Consider isolating the LMS environment and restricting access to trusted IP ranges to reduce exposure. 7. Conduct security audits and penetration testing focused on SQL injection vectors in the LMS environment. 8. Educate development and security teams about secure coding practices to prevent similar vulnerabilities in custom LMS extensions or integrations.