Share
## https://sploitus.com/exploit?id=96CCC73F-82BC-543A-83A5-59B99E658BD2
# CVE-2025-13673 โ Tutor LMS SQL Injection Lab
Unauthenticated SQL Injection in [Tutor LMS](https://wordpress.org/plugins/tutor/) WordPress plugin (prepare('%s', $value)
```
## Exploit Usage
```
usage: exploit.py [-h] [-u USERNAME] [-p PASSWORD] [--course-id COURSE_ID]
[--dump-users] [--db-info] [--options] [--all]
[--delay DELAY]
url
Modes:
Default (no -u/-p): Unauthenticated time-based blind SQLi
With -u/-p: Authenticated UNION-based (fast)
Examples:
exploit.py http://target # unauth blind
exploit.py http://target -u student -p pass --all # auth UNION
```
## Testing Different Versions
```bash
# Test version 3.9.5 (has esc_sql partial mitigation)
./setup.sh 3.9.5
# Test version 3.9.7 (should be fixed)
./setup.sh 3.9.7
```
## Files
| File | Description |
|------|-------------|
| `exploit.py` | Dual-mode PoC: unauth blind + auth UNION |
| `setup.sh` | One-command lab deployment |
| `docker-compose.yml` | WordPress 6.7 + MySQL 8.0 |
## References
- [Wordfence Advisory](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/tutor/tutor-lms-396-unauthenticated-sql-injection-via-coupon-code)
- [Patchstack Advisory](https://patchstack.com/database/wordpress/plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-9-6-unauthenticated-sql-injection-via-coupon-code-vulnerability)
## Disclaimer
For authorized security testing and educational purposes only.