CVE-2026-12273 in Tutor LMS Plugininfo

Summary

by MITRE • 07/13/2026

The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments containing arbitrary HTML and links on any content across the site, bypassing the comment moderation queue.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/13/2026

The Tutor LMS WordPress plugin vulnerability stems from insufficient input validation and authorization checks within its comment handling mechanisms. This flaw affects versions prior to 3.9.13 and represents a critical security oversight that allows authenticated users with subscriber-level privileges or higher to exploit the system. The vulnerability manifests in the plugin's lack of proper post-target validation before comment creation, combined with inadequate authorization controls that permit arbitrary comment submission without proper moderation checks.

The technical implementation of this vulnerability involves the plugin's comment handler failing to validate whether the requesting user has appropriate permissions to post comments on specific content types or targets. This absence of validation enables malicious actors within the system to submit comments containing arbitrary HTML and links, bypassing normal moderation workflows that would typically filter such content before publication. The flaw specifically affects the auto-approval mechanism which stores comments without proper review processes, allowing immediate visibility across all site content.

The operational impact of this vulnerability extends beyond simple comment spamming, as it enables potential attackers to inject malicious hyperlinks and HTML content into any published material on the WordPress site. This capability allows for cross-site scripting attacks, phishing attempts, and the distribution of malicious code through compromised comment sections. The vulnerability undermines the integrity of user-generated content systems and can be leveraged for reputation damage, data exfiltration, or further attack escalation within the compromised WordPress environment.

Mitigation strategies should focus on implementing proper input sanitization, authorization checks, and validation mechanisms before any comment processing occurs. System administrators must immediately update to Tutor LMS version 3.9.13 or later where these vulnerabilities have been addressed through proper access controls and input validation. Additionally, implementing content security policies and regular security audits of WordPress plugins can help prevent similar issues in other components of the web application stack.

This vulnerability aligns with CWE-89 (Improper Neutralization of Special Elements into SQL Command) and CWE-20 (Improper Input Validation) categories, representing a failure in proper access control enforcement. From an ATT&CK framework perspective, this issue maps to T1566 (Phishing) and T1496 (Resource Hijacking) where compromised comment systems can be leveraged for malicious purposes. The flaw demonstrates the importance of implementing defense-in-depth strategies including proper authorization controls, input sanitization, and regular security assessments of third-party components within web applications.

Responsible

WPScan

Reservation

06/15/2026

Disclosure

07/13/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!