PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12273 Tutor LMS CVE debrief

The Tutor LMS WordPress plugin before version 3.9.13 has a vulnerability that allows authenticated users with subscriber-level access and above to post auto-approved comments containing arbitrary HTML and links on any content across the site, bypassing the comment moderation queue. This vulnerability is considered medium severity and has been publicly disclosed. Users of the Tutor LMS WordPress plugin, especially those with subscriber-level access and above, should be aware of this vulnerability and take necessary precautions to prevent exploitation.

Vendor
Tutor LMS
Product
Tutor LMS WordPress plugin
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Users of the Tutor LMS WordPress plugin, especially those with subscriber-level access and above, should be aware of this vulnerability and take necessary precautions to prevent exploitation. This includes updating the plugin to version 3.9.13 or later, restricting comment posting to authorized users only, and monitoring comments for suspicious activity. Additionally, operators and security teams should review the vulnerability's impact on their platforms and implement compensating controls if necessary.

Technical summary

The Tutor LMS WordPress plugin before version 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved. This allows authenticated users with subscriber-level access and above to post auto-approved comments containing arbitrary HTML and links on any content across the site, bypassing the comment moderation queue. The vulnerability has been publicly disclosed and is considered medium severity.

Defensive priority

Medium

Recommended defensive actions

  • Update the Tutor LMS WordPress plugin to version 3.9.13 or later
  • Restrict comment posting to authorized users only
  • Monitor comments for suspicious activity
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-13T07:16:27.733Z and has not been modified since then. The NVD entry is currently Received. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record does not provide details on the vulnerability's operational impact or potential mitigations.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T07:16:27.733Z and has not been modified since then. The NVD entry is currently Received.