# CVE-2026-6080

> Vulnerability · severity: **MEDIUM** (CVSS 6.5).

## Description

The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb->prepare(). This makes it possible for authenticated attackers with Admin-level access and above to append additional SQL queries and extract sensitive information from the database.

## Key facts

- **CVE ID:** CVE-2026-6080
- **Published:** 2026-04-17
- **CVSS severity:** MEDIUM
- **CVSS base score:** 6.5
- **CWE codes:** CWE-89

## Primary sources

- NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-6080

## Citation

> AI Analytics. CVE-2026-6080. Retrieved 2026-07-17 from https://api.ai-analytics.org/cve/CVE-2026-6080. Derived from NIST NVD. Licensed CC0.

---

*[Dataset catalog](https://api.ai-analytics.org/datasets/) · [AI Analytics](https://api.ai-analytics.org/) · CC0 1.0*