Share
## https://sploitus.com/exploit?id=96CCC73F-82BC-543A-83A5-59B99E658BD2
# CVE-2025-13673 โ€” Tutor LMS SQL Injection Lab

Unauthenticated SQL Injection in [Tutor LMS](https://wordpress.org/plugins/tutor/) WordPress plugin (prepare('%s', $value)
```

## Exploit Usage

```
usage: exploit.py [-h] [-u USERNAME] [-p PASSWORD] [--course-id COURSE_ID]
                  [--dump-users] [--db-info] [--options] [--all]
                  [--delay DELAY]
                  url

Modes:
  Default (no -u/-p):  Unauthenticated time-based blind SQLi
  With -u/-p:          Authenticated UNION-based (fast)

Examples:
  exploit.py http://target                            # unauth blind
  exploit.py http://target -u student -p pass --all   # auth UNION
```

## Testing Different Versions

```bash
# Test version 3.9.5 (has esc_sql partial mitigation)
./setup.sh 3.9.5

# Test version 3.9.7 (should be fixed)
./setup.sh 3.9.7
```

## Files

| File | Description |
|------|-------------|
| `exploit.py` | Dual-mode PoC: unauth blind + auth UNION |
| `setup.sh` | One-command lab deployment |
| `docker-compose.yml` | WordPress 6.7 + MySQL 8.0 |

## References

- [Wordfence Advisory](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/tutor/tutor-lms-396-unauthenticated-sql-injection-via-coupon-code)
- [Patchstack Advisory](https://patchstack.com/database/wordpress/plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-9-6-unauthenticated-sql-injection-via-coupon-code-vulnerability)

## Disclaimer

For authorized security testing and educational purposes only.