PT-2026-57635 · Undefined · Undefined

Published

2026-07-13

·

Updated

2026-07-13

·

CVE-2026-12273

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments containing arbitrary HTML and links on any content across the site, bypassing the comment moderation queue.

Exploit

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

CVE-2026-12273

Affected Products

Undefined