CVE-2026-12273 PUBLISHED

Tutor LMS < 3.9.13 - Subscriber+ Arbitrary Auto-Approved Comment Creation

Assigner: WPScan
Reserved: 15.06.2026 Published: 13.07.2026 Updated: 13.07.2026

The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments containing arbitrary HTML and links on any content across the site, bypassing the comment moderation queue.

Product Status

Vendor Unknown
Product Tutor LMS
Versions Default: unaffected
  • affected from 0 to 3.9.13 (excl.)

Credits

  • Muni Nitish Kumar Yaddala finder
  • WPScan coordinator

References

Problem Types

  • CWE-284 Improper Access Control CWE