CVE-2026-12273
Received Received - Intake

Authenticated Comment Creation in Tutor LMS WordPress Plugin

Vulnerability report for CVE-2026-12273, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: WPScan

Description

The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments containing arbitrary HTML and links on any content across the site, bypassing the comment moderation queue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
tutor_lms tutor_lms to 3.9.13 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability CVE-2026-12273 affects the Tutor LMS WordPress plugin versions before 3.9.13. It allows authenticated users with subscriber-level access or higher to create comments that are automatically approved without any authorization or validation checks.

Specifically, the plugin does not verify if the user is authorized or if the comment is targeted to a valid post before creating the comment. As a result, these users can post comments containing arbitrary HTML and links on any content across the site, bypassing the comment moderation queue.

Attackers can exploit this by logging in as a subscriber, obtaining a valid nonce from the frontend, and submitting malicious comments via the `tutor_create_lesson_comment` action. The comments are auto-approved and persist hyperlinks while script tags are stripped.

Impact Analysis

This vulnerability can impact you by allowing low-privileged authenticated users to post malicious or unwanted content on your site without moderation.

Since comments are auto-approved and can contain arbitrary HTML and links, attackers could use this to insert spam, phishing links, or other harmful content that could damage your site's reputation or mislead visitors.

Additionally, because comments can be posted on any content including non-existent posts, it could be used to manipulate site content or confuse users.

Detection Guidance

This vulnerability can be detected by monitoring for auto-approved comments containing arbitrary HTML and links posted by authenticated users with subscriber-level access or higher. Since the exploit involves submitting comments via the `tutor_create_lesson_comment` action, checking logs or database entries for comments created without moderation and containing unusual HTML or links can help identify exploitation.

Specifically, detection can involve verifying if comments are being created without passing through the moderation queue and if they contain HTML content or links that are not typical for regular users.

Commands or queries to detect this might include:

  • Query the WordPress database comments table for comments with the 'approved' status set to 1 that contain HTML tags or links, especially those created by subscriber-level users.
  • Check web server or application logs for POST requests to the `tutor_create_lesson_comment` endpoint or action.
  • Use WordPress CLI commands to list recent comments and filter for those with HTML content and approved status.
Mitigation Strategies

The immediate mitigation step is to update the Tutor LMS WordPress plugin to version 3.9.13 or later, where this vulnerability has been fixed.

Until the update can be applied, consider restricting subscriber-level users from posting comments or disabling the comment feature temporarily to prevent exploitation.

Additionally, review and tighten comment moderation settings to ensure comments are not auto-approved without proper validation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12273. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart