PT-2026-57635 · Undefined · Undefined
Published
2026-07-13
·
Updated
2026-07-13
·
CVE-2026-12273
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments containing arbitrary HTML and links on any content across the site, bypassing the comment moderation queue.
Exploit
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Undefined