CVE-2026-12273
Description
The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments containing arbitrary HTML and links on any content across the site, bypassing the comment moderation queue.
Metadata
Severity & Metrics
No CVSS data available.
Affected products (1)
| Vendor | Product | Platform | Versions |
|---|---|---|---|
| Unknown | Tutor LMS | — | 0 < 3.9.13 |
Weakness (CWE)
| CWE | Source | Description |
|---|---|---|
| — | cna | CWE-284 Improper Access Control |