The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments containing arbitrary HTML and links on any content across the site, bypassing the comment moderation queue.
Project Subscriptions
No data.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Mon, 13 Jul 2026 06:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments containing arbitrary HTML and links on any content across the site, bypassing the comment moderation queue. | |
| Title | Tutor LMS < 3.9.13 - Subscriber+ Arbitrary Auto-Approved Comment Creation | |
| References |
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: WPScan
Published:
Updated: 2026-07-13T06:00:02.180Z
Reserved: 2026-06-15T11:20:18.693Z
Link: CVE-2026-12273
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
No weakness.