Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Mon, 13 Jul 2026 18:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-284 CWE-79 |
Mon, 13 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
Mon, 13 Jul 2026 06:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments containing arbitrary HTML and links on any content across the site, bypassing the comment moderation queue. | |
| Title | Tutor LMS < 3.9.13 - Subscriber+ Arbitrary Auto-Approved Comment Creation | |
| References |
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: WPScan
Published:
Updated: 2026-07-13T15:51:16.393Z
Reserved: 2026-06-15T11:20:18.693Z
Link: CVE-2026-12273
Updated: 2026-07-13T15:51:10.595Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-13T17:45:03Z