How is CVE-2026-22332 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress site's HTTP interface, typically meaning any publicly routable site is at risk. Authentication (not-required): No account or session credential of any kind is needed; the injection point is reachable by anonymous HTTP requests. Victim interaction (not-required): Exploitation is fully server-side and requires no action from any logged-in user or administrator. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental factors.

What is the impact of CVE-2026-22332?

An attacker can read arbitrary rows from the WordPress database, including stored user credentials (hashed passwords), email addresses, session tokens, and plugin configuration data. The scope of the SQL injection crosses the affected component boundary (CVSS Scope: Changed), so database content beyond the plugin's own tables may be accessible depending on the database user's privileges. Service availability is partially affected; malformed or resource-intensive queries can degrade or interrupt database responsiveness for the WordPress installation.

Back to search

CRITICALCVE-2026-22332Published 2026-06-17Modified 2026-06-17CNA Patchstack

CVE-2026-22332: WordPress Tutor LMS Pro plugin <= 3.9.6 - SQL Injection vulnerability

Q: What is CVE-2026-22332?

An unauthenticated SQL injection vulnerability affects the Tutor LMS Pro WordPress plugin at version 3.9.6 and below. The flaw is reachable over the network with no login or special account required, meaning any internet-accessible WordPress site running the affected plugin is exposed. Successful exploitation gives an attacker read access to the underlying database and limited ability to disrupt service availability. HarborGuard is tracking the advisory for patch availability and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-22332 patched?

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Themeum publishes a remediated release. For customers who opt into auto-remediation, a rebuild, regression run, and PR against affected workloads will be triggered without manual intervention.

Unauthenticated SQL Injection in Tutor LMS Pro <= 3.9.6 versions.

CVSS v3.1: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated SQL injection vulnerability affects the Tutor LMS Pro WordPress plugin at version 3.9.6 and below. The flaw is reachable over the network with no login or special account required, meaning any internet-accessible WordPress site running the affected plugin is exposed. Successful exploitation gives an attacker read access to the underlying database and limited ability to disrupt service availability. HarborGuard is tracking the advisory for patch availability and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Patchstack, within minutes of publication and matched against customer images and pipeline builds, including custom-built images containing the Tutor LMS Pro plugin. Any image at or below version 3.9.6 is flagged automatically.

Available

Triage

HarborGuard scores this vulnerability at CVSS 9.3 (Critical) and surfaces it with that severity weighting in the findings dashboard. Per-environment compliance policy rules can escalate routing so that the alert reaches the appropriate team inbox within each customer organization based on their configured severity thresholds.

Available

Patch

No upstream fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Themeum publishes a remediated release. For customers who opt into auto-remediation, a rebuild, regression run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the WordPress site's HTTP interface, typically meaning any publicly routable site is at risk.
AuthenticationNot required
No account or session credential of any kind is needed; the injection point is reachable by anonymous HTTP requests.
Victim interactionNot required
Exploitation is fully server-side and requires no action from any logged-in user or administrator.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental factors.

Blast Radius

An attacker can read arbitrary rows from the WordPress database, including stored user credentials (hashed passwords), email addresses, session tokens, and plugin configuration data.
The scope of the SQL injection crosses the affected component boundary (CVSS Scope: Changed), so database content beyond the plugin's own tables may be accessible depending on the database user's privileges.
Service availability is partially affected; malformed or resource-intensive queries can degrade or interrupt database responsiveness for the WordPress installation.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for this CVE as of publication, HarborGuard monitors the Patchstack advisory on every ingest cycle and will make a patched-image rebuild available automatically when Themeum ships a remediated version. In the interim, customers are advised to consider compensating controls such as network-policy rules that restrict public HTTP access to WordPress admin and plugin endpoints, web application firewall rules targeting SQL injection patterns in query parameters, and feature-flag or plugin-deactivation options within WordPress if the LMS functionality is not essential to the running environment. Where compliance policy permits, auto-remediation customers will receive a rebuild, regression-test run, and a PR opened against affected workloads immediately upon upstream fix availability.

See how HarborGuard automates this

Affected packages

Themeum / Tutor LMS Pro
≤ 3.9.6

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

References

patchstack.com

Metrics

Get notified