๐Ÿ” CVE Alert

CVE-2026-12273

MEDIUM 4.3

Tutor LMS < 3.9.13 - Subscriber+ Arbitrary Auto-Approved Comment Creation

CVSS Score
4.3
EPSS Score
0.1%
EPSS Percentile
4th

The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments containing arbitrary HTML and links on any content across the site, bypassing the comment moderation queue.

Vendor unknown
Product tutor lms
Published Jul 13, 2026
Last Updated Jul 13, 2026
Stay Ahead of the Next One

Get instant alerts for unknown tutor lms

Be the first to know when new medium vulnerabilities affecting unknown tutor lms are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Unknown / Tutor LMS
0 < 3.9.13

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wpscan.com: https://wpscan.com/vulnerability/93031a51-fd53-48a0-a420-0024bbdaf45b/

Credits

Muni Nitish Kumar Yaddala WPScan