关键漏洞信息 漏洞标题 Tutor LMS <= 3.9.6 - Unauthenticated SQL Injection via coupon_code 漏洞等级 7.5 漏洞描述 Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Note: This vulnerability was partially mitigated in versions 3.9.4 and 3.9.6. 参考资料 plugins.trac.wordpress.org 漏洞详细信息 CVE ID: CVE-2025-13673 CVSS: 7.5 (High) Publicly Published: February 27, 2026 Last Updated: February 28, 2026 Researcher: Supakiad S. (m3ez) - E-CQURITY (Thailand) 受影响的软件 Software Type: Plugin Software Slug: tutor (view on wordpress.org) Patched?: Yes Remediation: Update to version 3.9.7, or a newer patched version Affected Version: <= 3.9.6 Patched Version: 3.9.7 最近在 Tutor LMS – eLearning and online course solution 的漏洞